| | | | | | | | |
|
| | Log Name | Event Type | Category | Generated On | User | Source | Description
|
| | Application | Warning | None | 2017-01-09 14:07:47 | | Outlook | 25: Outlook is setting up a local copy of your mailbox. It may be several minutes until all of your data is available.
|
| | Application | Warning | None | 2017-01-09 14:25:54 | | Outlook | 25: Outlook is setting up a local copy of your mailbox. It may be several minutes until all of your data is available.
|
| | Application | Error | 100 | 2017-01-09 19:34:33 | | Application Error | 1000: Faulting application name: KSM.exe, version: 1.0.1.3, time stamp: 0x57cf4503 Faulting module name: KSM.exe, version: 1.0.1.3, time stamp: 0x57cf4503 Exception code: 0xc0000005 Fault offset: 0x000012dc Faulting process id: 0x2f3c Faulting application start time: 0x01d26a74b49ec425 Faulting application path: C:\Program Files (x86)\Kingston_SSD_Manager\KSM.exe Faulting module path: C:\Program Files (x86)\Kingston_SSD_Manager\KSM.exe Report Id: 23c88b8f-8a23-48af-8e5d-907c78a33063 Faulting package full name: Faulting package-relative application ID:
|
| | Application | Error | None | 2017-01-09 19:39:13 | | SideBySide | 78: Activation context generation failed for "c:\program files (x86)\adobe\adobe creative cloud\utils\Creative Cloud Uninstaller.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_89c64d28dafea4b9.manifest. Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest.
|
| | Application | Error | None | 2017-01-09 19:53:16 | | Perflib | 1008: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
|
| | Application | Error | None | 2017-01-09 19:53:16 | | Perflib | 1023: Windows cannot load the extensible counter DLL rdyboost. The first four bytes (DWORD) of the Data section contains the Windows error code.
|
| | Application | Error | 100 | 2017-01-10 10:22:22 | | Application Error | 1000: Faulting application name: wmiprvse.exe, version: 10.0.14393.0, time stamp: 0x57899ab2 Faulting module name: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f Exception code: 0xc0000374 Fault offset: 0x00000000000f8283 Faulting process id: 0xdac Faulting application start time: 0x01d26af0929ed93f Faulting application path: C:\Windows\system32\wbem\wmiprvse.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 6d8bfad0-ea3c-48ee-870e-4b836cbd3e2e Faulting package full name: Faulting package-relative application ID:
|
| | Application | Error | 101 | 2017-01-11 09:54:06 | | Application Hang | 1002: The program vmplayer.exe version 12.5.1.12906 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel. Process ID: 21b4 Start Time: 01d26bb5d5c51def Termination Time: 4294967295 Application Path: C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe Report Id: 36403d25-d7a9-11e6-aaf7-005056c00008 Faulting package full name: Faulting package-relative application ID:
|
| | Application | Error | None | 2017-01-11 10:21:20 | | Perflib | 1008: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
|
| | Application | Error | None | 2017-01-11 10:21:20 | | Perflib | 1023: Windows cannot load the extensible counter DLL rdyboost. The first four bytes (DWORD) of the Data section contains the Windows error code.
|
| | Application | Error | None | 2017-01-11 10:21:21 | | Perflib | 1022: Windows cannot open the 64-bit extensible counter DLL VMware in a 32-bit environment. Contact the file vendor to obtain a 32-bit version. Alternatively if you are running a 64-bit native environment, you can open the 64-bit extensible counter DLL by using the 64-bit version of Performance Monitor. To use this tool, open the Windows folder, open the System32 folder, and then start Perfmon.exe.
|
| | Application | Error | None | 2017-01-11 10:21:21 | | Perflib | 1017: Disabled performance counter data collection from the "VMware" service because the performance counter library for that service has generated one or more errors. The errors that forced this action have been written to the application event log. Correct the errors before enabling the performance counters for this service.
|
| | Application | Warning | None | 2017-01-12 07:19:29 | SYSTEM | Microsoft-Windows-WMI | 63: A provider, DMWmiBridgeProv, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
|
| | Application | Warning | None | 2017-01-12 07:19:29 | SYSTEM | Microsoft-Windows-WMI | 63: A provider, DMWmiBridgeProv, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
|
| | Application | Warning | None | 2017-01-12 07:19:29 | SYSTEM | Microsoft-Windows-WMI | 63: A provider, DMWmiBridgeProv, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
|
| | Application | Warning | None | 2017-01-12 07:19:29 | SYSTEM | Microsoft-Windows-WMI | 63: A provider, DMWmiBridgeProv1, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
|
| | Application | Warning | None | 2017-01-12 07:19:29 | SYSTEM | Microsoft-Windows-WMI | 63: A provider, DMWmiBridgeProv1, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
|
| | Application | Warning | None | 2017-01-12 07:19:29 | SYSTEM | Microsoft-Windows-WMI | 63: A provider, DMWmiBridgeProv1, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
|
| | Application | Error | None | 2017-01-12 10:17:58 | | RasClient | 20227: CoId={FD27EBCD-C636-4758-8203-F951142DEBD8}: The user SYSTEM dialed a connection named VPN VNPT which has failed. The error code returned on failure is 807.
|
| | Application | Error | None | 2017-01-12 10:18:58 | | RasClient | 20227: CoId={EF417DB8-8F50-46E2-9977-64BF8D06D05B}: The user SYSTEM dialed a connection named VNP which has failed. The error code returned on failure is 807.
|
| | Application | Error | None | 2017-01-12 11:44:56 | | Perflib | 1008: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
|
| | Application | Error | None | 2017-01-12 11:44:56 | | Perflib | 1023: Windows cannot load the extensible counter DLL rdyboost. The first four bytes (DWORD) of the Data section contains the Windows error code.
|
| | Application | Error | 100 | 2017-01-12 11:45:30 | | Application Error | 1000: Faulting application name: wmiprvse.exe, version: 10.0.14393.0, time stamp: 0x57899ab2 Faulting module name: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f Exception code: 0xc0000374 Fault offset: 0x00000000000f8283 Faulting process id: 0xca4 Faulting application start time: 0x01d26c8e9ec8280e Faulting application path: C:\Windows\system32\wbem\wmiprvse.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: f840daf7-0252-4995-843b-d28dfab1c40e Faulting package full name: Faulting package-relative application ID:
|
| | Application | Error | 5973 | 2017-01-12 15:41:45 | Deathadder™ | Microsoft-Windows-Immersive-Shell | 5973: Activation of app Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
|
| | Application | Error | 2400 | 2017-01-12 19:14:45 | Deathadder™ | Microsoft-Windows-Immersive-Shell | 2484: Package Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy+CortanaUI was terminated because it took too long to suspend.
|
| | Application | Error | None | 2017-01-12 20:34:54 | | Microsoft Office 16 | 2011: Office Subscription licensing exception: Error Code: 0x803D0010; CorrelationId: {2F700375-DAA9-475F-9F75-C7E95E83A15C}
|
| | Application | Error | None | 2017-01-12 20:35:15 | | Microsoft Office 16 | 2011: Office Subscription licensing exception: Error Code: 0x803D0010; CorrelationId: {2F700375-DAA9-475F-9F75-C7E95E83A15C}
|
| | Application | Error | None | 2017-01-12 20:35:15 | | Office 2016 Licensing Service | 0:
|
| | Application | Error | None | 2017-01-12 21:33:23 | | .NET Runtime | 1026: Application: Tiny.VN.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.DoConnect(System.Net.EndPoint, System.Net.SocketAddress) at System.Net.ServicePoint.ConnectSocketInternal(Boolean, System.Net.Sockets.Socket, System.Net.Sockets.Socket, System.Net.Sockets.Socket ByRef, System.Net.IPAddress ByRef, ConnectSocketState, System.IAsyncResult, System.Exception ByRef) Exception Info: System.Net.WebException at System.Net.WebClient.DownloadDataInternal(System.Uri, System.Net.WebRequest ByRef) at System.Net.WebClient.DownloadString(System.Uri) at Tiny.VN_C4.Form1..ctor() at Tiny.VN_C4.Program.Main()
|
| | Application | Error | 100 | 2017-01-12 21:33:23 | | Application Error | 1000: Faulting application name: Tiny.VN.exe, version: 1.0.0.8, time stamp: 0x58282db2 Faulting module name: KERNELBASE.dll, version: 10.0.14393.479, time stamp: 0x582588e6 Exception code: 0xe0434352 Fault offset: 0x0000000000017788 Faulting process id: 0x20a0 Faulting application start time: 0x01d26ce0c782632a Faulting application path: C:\Users\Deathadder™\Desktop\tiny.vn_1.0.8\Tiny.VN\Tiny.VN.exe Faulting module path: C:\Windows\System32\KERNELBASE.dll Report Id: ff7be9fd-cc59-4121-b4ad-2f9bbc5ed3d4 Faulting package full name: Faulting package-relative application ID:
|
| | Application | Error | None | 2017-01-12 21:33:57 | | .NET Runtime | 1026: Application: Tiny.VN.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.DoConnect(System.Net.EndPoint, System.Net.SocketAddress) at System.Net.ServicePoint.ConnectSocketInternal(Boolean, System.Net.Sockets.Socket, System.Net.Sockets.Socket, System.Net.Sockets.Socket ByRef, System.Net.IPAddress ByRef, ConnectSocketState, System.IAsyncResult, System.Exception ByRef) Exception Info: System.Net.WebException at System.Net.WebClient.DownloadDataInternal(System.Uri, System.Net.WebRequest ByRef) at System.Net.WebClient.DownloadString(System.Uri) at Tiny.VN_C4.Form1..ctor() at Tiny.VN_C4.Program.Main()
|
| | Application | Error | 100 | 2017-01-12 21:33:57 | | Application Error | 1000: Faulting application name: Tiny.VN.exe, version: 1.0.0.8, time stamp: 0x58282db2 Faulting module name: KERNELBASE.dll, version: 10.0.14393.479, time stamp: 0x582588e6 Exception code: 0xe0434352 Fault offset: 0x0000000000017788 Faulting process id: 0x1318 Faulting application start time: 0x01d26ce0dbe19875 Faulting application path: C:\Users\Deathadder™\Desktop\tiny.vn_1.0.8\Tiny.VN\Tiny.VN.exe Faulting module path: C:\Windows\System32\KERNELBASE.dll Report Id: 10c0b1a0-551c-403b-94ab-0e8c0ca75560 Faulting package full name: Faulting package-relative application ID:
|
| | Application | Error | None | 2017-01-12 21:34:32 | | .NET Runtime | 1026: Application: Tiny.VN.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.DoConnect(System.Net.EndPoint, System.Net.SocketAddress) at System.Net.ServicePoint.ConnectSocketInternal(Boolean, System.Net.Sockets.Socket, System.Net.Sockets.Socket, System.Net.Sockets.Socket ByRef, System.Net.IPAddress ByRef, ConnectSocketState, System.IAsyncResult, System.Exception ByRef) Exception Info: System.Net.WebException at System.Net.WebClient.DownloadDataInternal(System.Uri, System.Net.WebRequest ByRef) at System.Net.WebClient.DownloadString(System.Uri) at Tiny.VN_C4.Form1..ctor() at Tiny.VN_C4.Program.Main()
|
| | Application | Error | 100 | 2017-01-12 21:34:32 | | Application Error | 1000: Faulting application name: Tiny.VN.exe, version: 1.0.0.8, time stamp: 0x58282db2 Faulting module name: KERNELBASE.dll, version: 10.0.14393.479, time stamp: 0x582588e6 Exception code: 0xe0434352 Fault offset: 0x0000000000017788 Faulting process id: 0x1f90 Faulting application start time: 0x01d26ce0f0c099ef Faulting application path: C:\Users\Deathadder™\Desktop\tiny.vn_1.0.8\Tiny.VN\Tiny.VN.exe Faulting module path: C:\Windows\System32\KERNELBASE.dll Report Id: c6bcaaf7-5326-4f36-9560-c6b42ee04353 Faulting package full name: Faulting package-relative application ID:
|
| | Application | Error | None | 2017-01-12 21:36:24 | | .NET Runtime | 1026: Application: Tiny.VN.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.DoConnect(System.Net.EndPoint, System.Net.SocketAddress) at System.Net.ServicePoint.ConnectSocketInternal(Boolean, System.Net.Sockets.Socket, System.Net.Sockets.Socket, System.Net.Sockets.Socket ByRef, System.Net.IPAddress ByRef, ConnectSocketState, System.IAsyncResult, System.Exception ByRef) Exception Info: System.Net.WebException at System.Net.WebClient.DownloadDataInternal(System.Uri, System.Net.WebRequest ByRef) at System.Net.WebClient.DownloadString(System.Uri) at Tiny.VN_C4.Form1..ctor() at Tiny.VN_C4.Program.Main()
|
| | Application | Error | 100 | 2017-01-12 21:36:24 | | Application Error | 1000: Faulting application name: Tiny.VN.exe, version: 1.0.0.8, time stamp: 0x58282db2 Faulting module name: KERNELBASE.dll, version: 10.0.14393.479, time stamp: 0x582588e6 Exception code: 0xe0434352 Fault offset: 0x0000000000017788 Faulting process id: 0xe74 Faulting application start time: 0x01d26ce133833f57 Faulting application path: C:\Users\Deathadder™\Desktop\tiny.vn_1.0.8\Tiny.VN\Tiny.VN.exe Faulting module path: C:\Windows\System32\KERNELBASE.dll Report Id: 4f46dde0-b4fb-4958-a502-21469bb46439 Faulting package full name: Faulting package-relative application ID:
|
| | Application | Error | 5973 | 2017-01-12 21:39:05 | Deathadder™ | Microsoft-Windows-Immersive-Shell | 5973: Activation of app Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
|
| | Application | Error | 5973 | 2017-01-12 21:39:05 | Deathadder™ | Microsoft-Windows-Immersive-Shell | 5973: Activation of app Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
|
| | Application | Error | None | 2017-01-13 14:10:03 | | Perflib | 1023: Windows cannot load the extensible counter DLL rdyboost. The first four bytes (DWORD) of the Data section contains the Windows error code.
|
| | Application | Error | None | 2017-01-13 19:13:41 | | Perflib | 1008: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
|
| | Application | Error | None | 2017-01-13 19:13:44 | | Bonjour Service | 100: mDNSCoreReceiveResponse: Received from FE80:0000:0000:0000:14A6:4D85:0AC3:14BF:5353 4 RAZER.local. Addr 169.254.20.191
|
| | Application | Error | None | 2017-01-13 19:13:44 | | Bonjour Service | 100: mDNSCoreReceiveResponse: ProbeCount 2; will deregister 16 RAZER.local. AAAA FE80:0000:0000:0000:14A6:4D85:0AC3:14BF
|
| | Application | Error | None | 2017-01-13 19:13:44 | | Bonjour Service | 100: Local Hostname RAZER.local already in use; will try RAZER-2.local instead
|
| | Application | Error | None | 2017-01-14 07:20:23 | | Bonjour Service | 100: mDNSCoreReceiveResponse: Received from FE80:0000:0000:0000:65EB:CAA6:C27D:072F:5353 4 RAZER.local. Addr 10.26.10.52
|
| | Application | Error | None | 2017-01-14 07:20:23 | | Bonjour Service | 100: mDNSCoreReceiveResponse: ProbeCount 2; will deregister 16 RAZER.local. AAAA FE80:0000:0000:0000:65EB:CAA6:C27D:072F
|
| | Application | Error | None | 2017-01-14 07:20:23 | | Bonjour Service | 100: Local Hostname RAZER.local already in use; will try RAZER-2.local instead
|
| | Application | Error | None | 2017-01-14 19:27:57 | | Bonjour Service | 100: mDNSCoreReceiveResponse: Received from FE80:0000:0000:0000:441B:787F:A43C:86D1:5353 4 RAZER.local. Addr 192.168.174.1
|
| | Application | Error | None | 2017-01-14 19:27:57 | | Bonjour Service | 100: mDNSCoreReceiveResponse: ProbeCount 2; will deregister 16 RAZER.local. AAAA FE80:0000:0000:0000:441B:787F:A43C:86D1
|
| | Application | Error | None | 2017-01-14 19:27:57 | | Bonjour Service | 100: Local Hostname RAZER.local already in use; will try RAZER-2.local instead
|
| | Application | Error | 5973 | 2017-01-15 11:26:01 | Deathadder™ | Microsoft-Windows-Immersive-Shell | 5973: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
|
| | Application | Error | 101 | 2017-01-15 11:26:06 | | Application Hang | 1002: The program Microsoft.Photos.exe version 1.0.1611.18000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel. Process ID: 1818 Start Time: 01d26ee73276e6b7 Termination Time: 4294967295 Application Path: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe Report Id: b7c94de9-dada-11e6-ab05-3085a929cbb6 Faulting package full name: Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe Faulting package-relative application ID: App
|
| | Application | Error | None | 2017-01-15 19:08:34 | | Perflib | 1008: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
|
| | Application | Error | None | 2017-01-15 19:08:34 | | Perflib | 1023: Windows cannot load the extensible counter DLL rdyboost. The first four bytes (DWORD) of the Data section contains the Windows error code.
|
| | Application | Error | 5973 | 2017-01-15 20:06:32 | Deathadder™ | Microsoft-Windows-Immersive-Shell | 5973: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
|
| | Application | Error | 101 | 2017-01-15 20:06:35 | | Application Hang | 1002: The program Microsoft.Photos.exe version 1.0.1611.18000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel. Process ID: ca0 Start Time: 01d26f2fe9d45b57 Termination Time: 4294967295 Application Path: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe Report Id: 6f28dd6c-db23-11e6-ab06-3085a929cbb6 Faulting package full name: Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe Faulting package-relative application ID: App
|
| | Application | Error | None | 2017-01-16 09:06:25 | | SideBySide | 78: Activation context generation failed for "c:\program files (x86)\adobe\adobe creative cloud\utils\Creative Cloud Uninstaller.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_89c64d28dafea4b9.manifest. Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.447_none_42191651c6827bb3.manifest.
|
| | Security | Audit Success | 13824 | 2017-01-09 09:10:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x10fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 09:10:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x10fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 09:10:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x10fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 09:10:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x10fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2217f65c Linked Logon ID: 0x2217f68f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2217f68f Linked Logon ID: 0x2217f65c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2217fdef Linked Logon ID: 0x2217fe4b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2217fe4b Linked Logon ID: 0x2217fdef Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2217fe4b Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2217f68f Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2217fdef Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2217f65c Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2217f65c Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2217fdef Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1b84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 09:18:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1b84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 09:19:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1b84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 09:19:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1b84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 09:19:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:19:26 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:19:26 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:20:12 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:21:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:21:39 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:27:44 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: mien.hoangthi@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:27:44 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: mien.hoangthi@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:27:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:27:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:27:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:27:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:27:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:28:36 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:28:36 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:28:36 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:30:18 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: noi.tranthi Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:30:30 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: noi.tranthi@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:30:31 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: noi.tranthi@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:31:20 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:31:20 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:31:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:31:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 09:31:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-09 09:31:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x3140 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 09:31:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x3140 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 09:31:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x24e8 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 09:32:14 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x3140 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 09:32:14 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x3140 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 10:16:20 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 10:16:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22315fcd Linked Logon ID: 0x22316000 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 10:16:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22316000 Linked Logon ID: 0x22315fcd Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 10:16:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22315fcd Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 10:16:20 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x223165f5 Linked Logon ID: 0x22316657 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22316657 Linked Logon ID: 0x223165f5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22316657 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x223165f5 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22316000 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22315fcd Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x223165f5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2f54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 10:16:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2f54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 10:16:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2f54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 10:16:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2f54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 10:28:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 10:28:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 10:28:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 10:28:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 10:28:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x3614 Process Name: C:\Windows\explorer.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 11:06:00 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 11:06:00 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-09 11:36:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xf78 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:36:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xf78 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:36:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa60 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:36:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xf78 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:36:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xf78 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:48:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa60 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x226b0633 Linked Logon ID: 0x226b0666 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x226b0666 Linked Logon ID: 0x226b0633 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x226b0d43 Linked Logon ID: 0x226b0d94 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x226b0d94 Linked Logon ID: 0x226b0d43 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x226b0d94 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x226b0666 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x226b0633 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x226b0d43 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x226b0633 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x226b0d43 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1c34 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:50:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1c34 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:51:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1c34 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:51:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1c34 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:59:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x101c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:59:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x101c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:59:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e98 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:59:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x101c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 11:59:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x101c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2288b48f Linked Logon ID: 0x2288b4c2 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2288b4c2 Linked Logon ID: 0x2288b48f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2288ba93 Linked Logon ID: 0x2288baf8 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2288baf8 Linked Logon ID: 0x2288ba93 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2288baf8 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2288ba93 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2288b4c2 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2288b48f Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2288b48f Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2288ba93 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 12:58:23 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 12:58:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x31cc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 12:58:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x31cc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 12:58:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x31cc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 12:58:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x31cc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 13:05:32 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: EC2AMAZ-8MGC7TQ Additional Information: EC2AMAZ-8MGC7TQ Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:05:33 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: EC2AMAZ-8MGC7TQ Additional Information: EC2AMAZ-8MGC7TQ Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:05:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:05:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:08:32 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:08:32 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:08:35 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:08:35 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:08:35 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:08:35 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7e0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:12:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 13:12:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 13:21:35 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2ad4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:21:35 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2ad4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:21:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x153c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:22:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2ad4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:22:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2ad4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a220ad Linked Logon ID: 0x22a220e0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a220e0 Linked Logon ID: 0x22a220ad Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a22725 Linked Logon ID: 0x22a22775 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a22775 Linked Logon ID: 0x22a22725 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22a22775 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22a22725 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22a220e0 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22a220ad Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a220ad Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a22725 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1aa4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:23:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1aa4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:24:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1aa4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:24:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1aa4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:27:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2584 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:27:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2584 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:27:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2584 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 13:27:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2584 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 13:42:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 13:42:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 14:12:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 14:12:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 14:13:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 14:13:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 14:42:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 14:42:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 14:44:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x19fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 14:44:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x19fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 14:44:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x28ac Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 14:45:19 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x19fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 14:45:19 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x19fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22e4332e Linked Logon ID: 0x22e43361 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22e43361 Linked Logon ID: 0x22e4332e Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22e43aad Linked Logon ID: 0x22e43b06 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22e43b06 Linked Logon ID: 0x22e43aad Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22e43b06 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22e43aad Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22e43361 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22e4332e Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22e4332e Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22e43aad Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 14:48:53 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 14:48:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x15d8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 14:48:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x15d8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 14:49:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x15d8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 14:49:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x15d8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 15:12:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 15:12:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 15:42:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 15:42:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 16:12:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 16:12:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 16:18:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 16:18:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 16:42:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 16:42:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-37 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xab4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-37 Account Name: DWM-37 Account Domain: Window Manager Logon ID: 0x232feb0f Linked Logon ID: 0x232feb2f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xab4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-37 Account Name: DWM-37 Account Domain: Window Manager Logon ID: 0x232feb2f Linked Logon ID: 0x232feb0f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xab4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 17:00:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-37 Account Name: DWM-37 Account Domain: Window Manager Logon ID: 0x232feb0f Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 17:00:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-37 Account Name: DWM-37 Account Domain: Window Manager Logon ID: 0x232feb2f Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 17:00:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 17:00:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12545 | 2017-01-09 17:00:31 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21a243bf This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2bf4 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2332c02d Linked Logon ID: 0x2332c05f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2332c05f Linked Logon ID: 0x2332c02d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2332c272 Linked Logon ID: 0x2332c2bd Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2332c2bd Linked Logon ID: 0x2332c272 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c2bd Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c272 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2332c02d Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2332c272 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-09 17:00:45 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:00:48 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1658 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1658 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1658 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1658 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xf04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xf04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 17:01:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 17:01:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c05f Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c05f Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c05f Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c05f Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 17:01:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c05f User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2acc Process Name: C:\Windows\explorer.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 17:01:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 17:01:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12288 | 2017-01-09 19:30:51 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5d0 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-09T10:01:37.090780100Z New Time: 2017-01-09T12:30:51.263578000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-09 19:30:51 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5d0 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-09T12:30:51.263849700Z New Time: 2017-01-09T12:30:51.263000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 13824 | 2017-01-09 19:30:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c05f User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2908 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:30:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c05f User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2908 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12288 | 2017-01-09 19:30:52 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5d0 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-09T12:30:52.542832800Z New Time: 2017-01-09T12:30:52.540000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 13824 | 2017-01-09 19:31:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xf04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:31:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xf04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:32:39 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c05f User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2264 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:34:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:34:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 19:35:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-38 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xadc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:35:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-38 Account Name: DWM-38 Account Domain: Window Manager Logon ID: 0x234e8ba7 Linked Logon ID: 0x234e8bbe Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xadc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:35:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-38 Account Name: DWM-38 Account Domain: Window Manager Logon ID: 0x234e8bbe Linked Logon ID: 0x234e8ba7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xadc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:35:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-38 Account Name: DWM-38 Account Domain: Window Manager Logon ID: 0x234e8ba7 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:35:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-38 Account Name: DWM-38 Account Domain: Window Manager Logon ID: 0x234e8bbe Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12545 | 2017-01-09 19:35:05 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2332c05f This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e2c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x19ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x19ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2351fc01 Linked Logon ID: 0x2351fc75 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2351fc75 Linked Logon ID: 0x2351fc01 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x235206ad Linked Logon ID: 0x235206fa Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x235206fa Linked Logon ID: 0x235206ad Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x235206fa Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x235206ad Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2351fc01 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x235206ad Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-09 19:39:15 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:39:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:39:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:22 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x19ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:39:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x19ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:39:58 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-39 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2190 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:39:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-39 Account Name: DWM-39 Account Domain: Window Manager Logon ID: 0x235e5289 Linked Logon ID: 0x235e52ac Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2190 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:39:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-39 Account Name: DWM-39 Account Domain: Window Manager Logon ID: 0x235e52ac Linked Logon ID: 0x235e5289 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2190 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:39:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-39 Account Name: DWM-39 Account Domain: Window Manager Logon ID: 0x235e5289 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:39:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-39 Account Name: DWM-39 Account Domain: Window Manager Logon ID: 0x235e52ac Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12545 | 2017-01-09 19:39:59 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2351fc75 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xcc8 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x25ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x25ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x25ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x25ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xf80 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xf80 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2361bfd7 Linked Logon ID: 0x2361c00d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2361c00d Linked Logon ID: 0x2361bfd7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2361c3d3 Linked Logon ID: 0x2361c424 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2361c424 Linked Logon ID: 0x2361c3d3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2361c424 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2361c3d3 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2361bfd7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2361c3d3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-09 19:40:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x458 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xf80 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:40:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xf80 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12288 | 2017-01-09 19:49:43 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5d0 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-09T12:41:06.173152200Z New Time: 2017-01-09T12:49:43.466933200Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-09 19:49:43 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5d0 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-09T12:49:43.467044300Z New Time: 2017-01-09T12:49:43.466000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-09 19:49:45 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5d0 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-09T12:49:45.216029600Z New Time: 2017-01-09T12:49:45.214000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:53:02 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a8 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:53:02 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-09 19:53:02 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-09 19:53:07 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a8 New Process Name: ??????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:53:07 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2a8 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x37c New Process Name: ??????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3b4 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f0 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x37c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: ????????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x37c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: ????????????????-??6??4?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-09 19:53:08 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xb0c3
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 101 | 2017-01-09 19:53:10 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x114f6 Linked Logon ID: 0x11514 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x11514 Linked Logon ID: 0x114f6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x114f6 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x11514 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-09 19:53:11 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-09 19:53:12 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:53:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:53:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x9dc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:53:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x9dc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:53:13 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x630 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:53:13 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x630 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:53:13 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:53:13 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3456c Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:53:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x9dc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:53:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x9dc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x57ffd Linked Logon ID: 0x5802b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5802b Linked Logon ID: 0x57ffd Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x57ffd Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:53:23 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:24 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5823d Linked Logon ID: 0x5826e Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5826e Linked Logon ID: 0x5823d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 19:53:24 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5826e Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 19:53:24 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5823d Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:24 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5823d Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:53:24 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-09 19:53:24 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:53:28 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:53:28 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-09 19:53:29 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x16d4 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:53:29 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x16d4 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12292 | 2017-01-09 19:53:31 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:39 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a4 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:39 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-09 19:57:39 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:41 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x270 New Process Name: ??????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x270 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x378 New Process Name: ??????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x390 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x270 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: ????????????????-??6??0?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x390 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x390 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-09 19:57:43 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xa5f1
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:44 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x109a8 Linked Logon ID: 0x109bd Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x109bd Linked Logon ID: 0x109a8 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x109a8 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x109bd Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ac New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x21c New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-09 19:57:45 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 101 | 2017-01-09 19:57:46 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12292 | 2017-01-09 19:57:46 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-09 19:57:47 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x21a07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:47 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x600 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:47 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x600 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:47 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x45c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:49 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x26c New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:50 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a8 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:50 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-09 19:57:50 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x26c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x384 New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3b0 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x26c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: ????????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-09 19:57:52 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:52 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: ????????????????-??6??0?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b0 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:52 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b0 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-09 19:57:52 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9d4c
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x214 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10181 Linked Logon ID: 0x101a3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x214 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x101a3 Linked Logon ID: 0x10181 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x214 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10181 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x101a3 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:53 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x268 New Process Name: ??????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 101 | 2017-01-09 19:57:54 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12292 | 2017-01-09 19:57:54 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:54 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x268 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12292 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1f803 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x378 New Process Name: ??????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x388 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x268 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3ec New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ec New Process Name: ????????????????-??6??8?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x388 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x388 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9d4b
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:55 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:56 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:56 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 101 | 2017-01-09 19:57:57 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x23c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1055f Linked Logon ID: 0x1057c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x23c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1057c Linked Logon ID: 0x1055f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x23c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1055f Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1057c Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:57:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12292 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1fc95 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:57:58 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x428 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:58:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:01 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7a4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:01 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7a4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:58:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7a4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7a4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12292 | 2017-01-09 19:58:04 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x50bbc Linked Logon ID: 0x50beb Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x50beb Linked Logon ID: 0x50bbc Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x51014 Linked Logon ID: 0x5105f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5105f Linked Logon ID: 0x51014 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5105f Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x51014 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x50bbc Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x51014 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-09 19:58:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:58:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-09 19:58:07 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5c58a Linked Logon ID: 0x5c5be Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5c5be Linked Logon ID: 0x5c58a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5c8b8 Linked Logon ID: 0x5c8e6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5c8e6 Linked Logon ID: 0x5c8b8 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5c8e6 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5c8b8 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5c58a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5c8b8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-09 19:58:08 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:58:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-09 19:58:10 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x17ac Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:58:10 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x17ac Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 19:58:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 19:58:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-09 19:58:13 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1610 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 19:58:13 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1610 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12288 | 2017-01-09 20:16:36 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x56c Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-09T12:59:00.433547100Z New Time: 2017-01-09T13:16:36.508000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 13824 | 2017-01-09 20:16:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1e14 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 20:16:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e14 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12288 | 2017-01-09 21:17:32 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x56c Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-09T13:16:36.925358900Z New Time: 2017-01-09T14:17:32.882450300Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-09 21:17:32 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x56c Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-09T14:17:32.882661500Z New Time: 2017-01-09T14:17:32.882000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 13824 | 2017-01-09 21:17:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x50beb User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1e54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 21:17:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x50beb User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 21:17:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1e14 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 21:17:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e14 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12288 | 2017-01-09 21:17:34 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x56c Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-09T14:17:34.661729200Z New Time: 2017-01-09T14:17:34.661000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12544 | 2017-01-09 21:18:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 21:18:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2017-01-09 21:18:35 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-09 21:18:35 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-09 21:18:35 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2017-01-09 21:18:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 21:18:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-09 21:18:37 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 21:18:37 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 21:18:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 21:18:44 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 21:21:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x50beb User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x17d8 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 21:22:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1b88 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 21:22:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1b88 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 21:22:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1b88 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-09 21:22:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1b88 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 21:22:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 21:22:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-09 21:39:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x50beb User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xb38 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 22:19:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-09 22:19:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-09 22:44:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-2 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x48c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-09 22:44:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x8c9f2b Linked Logon ID: 0x8c9f4a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x48c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-09 22:44:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x8c9f4a Linked Logon ID: 0x8c9f2b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x48c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-09 22:44:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x8c9f2b Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-09 22:44:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x8c9f4a Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12545 | 2017-01-09 22:44:40 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x50beb This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2017-01-10 07:11:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1c0c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8e8e5c Linked Logon ID: 0x8e8e8e Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8e8e8e Linked Logon ID: 0x8e8e5c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8e90fa Linked Logon ID: 0x8e9154 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8e9154 Linked Logon ID: 0x8e90fa Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e9154 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e90fa Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8e8e5c Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8e90fa Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-10 07:11:49 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:12:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd0c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:12:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd0c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:12:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd0c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:12:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd0c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:13:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:13:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:13:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:13:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 07:13:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-10 07:14:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:14:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:14:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:14:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:15:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0x1d48 Process Name: C:\Windows\System32\CompatTelRunner.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 07:15:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 07:15:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 07:17:07 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:17:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:17:29 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:18:33 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-10 07:18:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x984 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 07:20:39 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:20:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:21:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:25:17 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:25:17 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:25:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:25:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 07:26:28 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x174c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x174c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x174c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x174c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:29 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x268c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x268c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x268c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:26:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x268c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:27:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 07:27:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 07:46:20 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 07:46:20 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x450 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 08:03:58 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:03:59 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:04:02 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:04:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:04:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:04:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:09:30 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:09:30 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:11:35 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:36:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 08:36:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x24bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x24bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x24bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 08:36:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x24bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 12288 | 2017-01-10 08:36:39 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x56c Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-10T01:36:39.645128200Z New Time: 2017-01-10T01:36:39.644000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:36:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 08:36:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 08:49:34 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:49:34 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-10 08:50:45 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x45c Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 08:55:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ec Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 08:55:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 08:55:20 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 08:55:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-10 08:55:52 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 08:55:52 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 08:55:52 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 08:55:52 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 08:55:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1f88 Process Name: C:\Windows\explorer.exe
|
| | Security | Audit Success | 103 | 2017-01-10 08:56:10 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 12545 | 2017-01-10 08:56:10 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8e8e8e This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:00:29 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ac New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:00:29 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x21c New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-10 09:00:29 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-10 09:00:30 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x26c New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:00:31 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x26c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x384 New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3ac New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x26c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: ????????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ????????????????-??6??c?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3ac Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3ac Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-10 09:00:32 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x97d0
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x250 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10196 Linked Logon ID: 0x101af Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x250 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x101af Linked Logon ID: 0x10196 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x250 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10196 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x101af Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x438 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x648 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x648 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:00:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x22274 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:39 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x11e4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:39 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x11e4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12292 | 2017-01-10 09:00:46 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x11e4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x11e4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4a0c2 Linked Logon ID: 0x4a0f0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4a0f0 Linked Logon ID: 0x4a0c2 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4a38c Linked Logon ID: 0x4a3c3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4a3c3 Linked Logon ID: 0x4a38c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a3c3 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a38c Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4a0c2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4a38c Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-10 09:00:50 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:51 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0f0 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:51 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0f0 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:52 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0f0 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:52 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0f0 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:00:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 09:00:54 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0f0 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13826 | 2017-01-10 09:00:54 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x16c8 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:00:54 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x16c8 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:00:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 12544 | 2017-01-10 09:01:21 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0c2 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:01:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0c2 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:01:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0c2 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:01:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0c2 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13826 | 2017-01-10 09:01:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:01:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:02:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0f0 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d40 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12290 | 2017-01-10 09:02:37 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-10 09:02:37 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-10 09:02:37 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2017-01-10 09:02:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:02:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:02:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:02:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 09:04:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:04:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:09:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1b70 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:09:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1b70 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:09:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1b70 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:09:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1b70 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:10:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x213c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:10:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x213c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:10:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x213c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:10:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x213c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:15:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0f0 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x23dc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:15:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0f0 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x23dc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:18:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:18:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12545 | 2017-01-10 09:23:47 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4a0f0 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-10 09:23:48 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:29:00 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ac New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-10 09:29:00 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-10 09:29:01 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x21c New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:29:02 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x26c New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:29:03 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x26c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x384 New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3a4 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x26c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: ????????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ????????????????-??6??4?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3a4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3a4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-10 09:29:04 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x97c4
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x250 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x100dc Linked Logon ID: 0x100fa Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x250 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x100fa Linked Logon ID: 0x100dc Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x250 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x100dc Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x100fa Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x42c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:29:07 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x24a75 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 13826 | 2017-01-10 09:29:08 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:29:08 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3ecd3 Linked Logon ID: 0x3ed01 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3ed01 Linked Logon ID: 0x3ecd3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3ef33 Linked Logon ID: 0x3ef72 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3ef72 Linked Logon ID: 0x3ef33 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ef72 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ef33 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3ecd3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3ef33 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-10 09:29:13 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:14 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:14 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12292 | 2017-01-10 09:29:15 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x428 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:16 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x428 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:29:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-10 09:29:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x168c Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:29:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x168c Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:29:19 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:45 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ecd3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ecd3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x428 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ecd3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x428 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:29:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ecd3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x428 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:30:09 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ecd3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x428 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:31:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:31:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:31:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:31:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-10 09:31:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:31:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:33:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:33:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:35:45 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xbb8 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:36:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:36:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:36:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:36:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:36:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2680 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:39:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1e00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:39:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:39:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1e00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:39:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:41:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:41:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x212dcf Linked Logon ID: 0x212e02 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:41:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x212e02 Linked Logon ID: 0x212dcf Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:41:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x212dcf Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:41:37 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x213501 Linked Logon ID: 0x21355c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x21355c Linked Logon ID: 0x213501 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x212e02 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x212dcf Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x21355c Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x213501 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x213501 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2068 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2068 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2068 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:41:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2068 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:41:42 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:41:42 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x428 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:41:42 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x428 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:42:14 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:42:26 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13826 | 2017-01-10 09:42:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:42:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:44:14 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2430 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:44:14 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2430 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:44:41 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:44:41 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:44:41 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:44:41 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:44:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3ed01 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x14f0 Process Name: C:\Windows\explorer.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:48:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:48:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-10 09:51:05 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a8 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:51:05 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-10 09:51:05 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-10 09:51:06 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x28c New Process Name: ??????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:51:07 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x384 New Process Name: ??????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x398 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x210 New Process Name: ????????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: ????????????????-??6??8?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x398 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1cc New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x398 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-10 09:51:08 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x981a
|
| | Security | Audit Success | 101 | 2017-01-10 09:51:10 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x210 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xff8e Linked Logon ID: 0xffb1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x210 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xffb1 Linked Logon ID: 0xff8e Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x210 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xff8e Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xffb1 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-10 09:51:11 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-10 09:51:11 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1efe9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-10 09:51:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x638 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:51:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x638 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:51:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:51:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:13 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x438 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1164 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1164 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3e419 Linked Logon ID: 0x3e462 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3e462 Linked Logon ID: 0x3e419 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1cc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3e83c Linked Logon ID: 0x3e86b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1cc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3e86b Linked Logon ID: 0x3e83c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1cc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3e86b Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3e83c Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3e419 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3e83c Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-10 09:51:17 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:18 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3e462 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:18 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3e462 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x8 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:19 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3e462 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x8 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:19 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3e462 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:19 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3e462 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12292 | 2017-01-10 09:51:21 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:51:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:51:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-10 09:51:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x16d0 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:51:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x16d0 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:24 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1164 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:51:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1164 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12545 | 2017-01-10 09:51:42 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3e462 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-10 09:51:43 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:52:37 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a4 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:52:37 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-10 09:52:37 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-10 09:52:38 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x288 New Process Name: ??????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:52:39 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:52:39 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x384 New Process Name: ??????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:52:39 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3b8 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:52:39 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:52:39 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: ????????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-10 09:52:40 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-10 09:52:40 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: ????????????????-??6??8?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b8 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 09:52:40 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b8 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-10 09:52:40 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9995
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:41 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x20c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10111 Linked Logon ID: 0x1012f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x20c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1012f Linked Logon ID: 0x10111 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x20c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10111 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1012f Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-10 09:52:42 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x21f20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x64c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x64c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:52:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x36793 Linked Logon ID: 0x367fe Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x367fe Linked Logon ID: 0x36793 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x371e0 Linked Logon ID: 0x37230 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x37230 Linked Logon ID: 0x371e0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x37230 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x371e0 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x36793 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x371e0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-10 09:52:46 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:52:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-10 09:52:49 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1454 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:52:49 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1454 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x367fe Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:52:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x367fe Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12292 | 2017-01-10 09:52:54 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:55 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1574 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1574 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1574 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 09:52:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1574 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 09:53:17 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x36793 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:53:17 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x36793 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:53:17 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x36793 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:54:12 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x367fe Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:54:12 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x367fe Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13826 | 2017-01-10 09:54:24 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 09:54:24 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12290 | 2017-01-10 09:54:44 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-10 09:54:44 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-10 09:54:44 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2017-01-10 09:54:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 09:54:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 09:54:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 09:54:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 09:55:01 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x367fe User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xb14 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13312 | 2017-01-10 10:17:41 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ac New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:17:41 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x21c New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-10 10:17:41 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-10 10:17:42 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x26c New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:17:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x26c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x384 New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3a0 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x26c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: ????????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: ????????????????-??6??0?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3a0 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3a0 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-10 10:17:44 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x98da
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 101 | 2017-01-10 10:17:46 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x106e6 Linked Logon ID: 0x10709 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10709 Linked Logon ID: 0x106e6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x24c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x106e6 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10709 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-10 10:17:47 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-10 10:17:48 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1f8ad Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-10 10:17:48 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x618 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:17:48 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x618 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:17:48 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x444 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:17:48 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x444 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:17:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 10:17:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:17:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 10:17:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7f4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:17:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7f4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12292 | 2017-01-10 10:17:56 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-10 10:17:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7f4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:17:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7f4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 10:19:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:19:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 10:19:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:19:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-10 10:19:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa00 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:19:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xa00 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:19:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x444 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:19:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x444 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 10:19:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:19:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 103 | 2017-01-10 10:20:41 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:20:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a8 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-10 10:20:55 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-10 10:20:56 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:20:57 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x268 New Process Name: ??????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:20:58 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x268 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x384 New Process Name: ??????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a8 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x39c New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x268 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: ????????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: ????????????????-??6??c?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x39c Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x39c Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-10 10:20:59 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x98ca
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xfffd Linked Logon ID: 0x10018 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10018 Linked Logon ID: 0xfffd Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xfffd Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10018 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:21:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x23324 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12292 | 2017-01-10 10:21:09 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x482a8 Linked Logon ID: 0x482d6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x482d6 Linked Logon ID: 0x482a8 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x48534 Linked Logon ID: 0x48564 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x48564 Linked Logon ID: 0x48534 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48564 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48534 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x482a8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x48534 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-10 10:21:52 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:21:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:21:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:56 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:56 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:56 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:56 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:56 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:56 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13826 | 2017-01-10 10:21:56 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x18bc Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:21:56 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x18bc Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 10:21:57 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 12544 | 2017-01-10 10:22:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482a8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:22:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482a8 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 10:22:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:22:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 10:23:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:23:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 10:23:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 10:23:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2017-01-10 10:23:07 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-10 10:23:07 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-10 10:23:07 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 13826 | 2017-01-10 10:23:09 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 10:23:09 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:24:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x16b0 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:31:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2330 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:31:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2330 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:31:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2330 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:31:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2330 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:36:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x116c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 10:36:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x116c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 11:22:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 11:22:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 11:23:01 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 11:23:02 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 11:23:02 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-10 11:48:45 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1ff8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:48:45 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1ff8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:48:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7d4 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:48:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1ff8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:48:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1ff8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5270c9 Linked Logon ID: 0x5270fc Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5270fc Linked Logon ID: 0x5270c9 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5277ef Linked Logon ID: 0x52785a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x52785a Linked Logon ID: 0x5277ef Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x52785a Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5277ef Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5270fc Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5270c9 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5270c9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5277ef Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 11:52:19 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 11:52:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x22c0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:52:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x22c0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:52:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x22c0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:52:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x22c0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 11:55:36 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 11:55:36 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 11:55:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 11:55:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 11:57:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1c94 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:57:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1c94 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:57:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1c94 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:57:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1c94 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 11:57:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1564 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 12:21:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 12:21:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 12:58:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 12:58:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x7ecd64 Linked Logon ID: 0x7ecd97 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 12:58:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x7ecd97 Linked Logon ID: 0x7ecd64 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 12:58:08 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x7ecd64 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 12:58:08 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x7ed374 Linked Logon ID: 0x7ed3c8 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x7ed3c8 Linked Logon ID: 0x7ed374 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x7ed3c8 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x7ed374 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x7ecd97 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x7ecd64 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x7ed374 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x216c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 12:58:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x216c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 12:58:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x216c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 12:58:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x216c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 14:25:59 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 14:25:59 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 14:26:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: EC2AMAZ-8MGC7TQ Additional Information: EC2AMAZ-8MGC7TQ Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 14:26:07 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: EC2AMAZ-8MGC7TQ Additional Information: EC2AMAZ-8MGC7TQ Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 14:26:16 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 14:26:16 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-10 14:31:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x157c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:31:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x157c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:31:59 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x828 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:32:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x157c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:32:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x157c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 14:34:20 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 14:34:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe945a Linked Logon ID: 0xbe948d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 14:34:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe948d Linked Logon ID: 0xbe945a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 14:34:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe945a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 14:34:20 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe9b32 Linked Logon ID: 0xbe9b87 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe9b87 Linked Logon ID: 0xbe9b32 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xbe9b87 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xbe9b32 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xbe948d Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xbe945a Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe9b32 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1a00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1a00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1a00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:34:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1a00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:47:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:47:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:47:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:47:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:50:14 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa30 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:58:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2228 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:58:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2228 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:58:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2228 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:58:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2228 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 14:58:59 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2350 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe26887 Linked Logon ID: 0xe268ba Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe268ba Linked Logon ID: 0xe26887 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe26f07 Linked Logon ID: 0xe26f6c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe26f6c Linked Logon ID: 0xe26f07 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xe26f6c Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xe26f07 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xe268ba Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xe26887 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe26887 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe26f07 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x634 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:38:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x634 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:38:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x634 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:38:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x634 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x16e8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x16e8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x16e8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x16e8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:01 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x678 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 15:45:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 15:45:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe83992 Linked Logon ID: 0xe839c5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 15:45:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe839c5 Linked Logon ID: 0xe83992 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 15:45:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe83992 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:05 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe84083 Linked Logon ID: 0xe840e0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe840e0 Linked Logon ID: 0xe84083 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xe840e0 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xe84083 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xe839c5 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xe83992 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xe84083 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xedc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xedc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xedc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:45:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xedc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:52:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x4e0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:52:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x4e0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:52:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x4e0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:52:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x4e0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 15:52:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2284 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf3a2f2 Linked Logon ID: 0xf3a325 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf3a325 Linked Logon ID: 0xf3a2f2 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf3a9d6 Linked Logon ID: 0xf3aa2d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf3aa2d Linked Logon ID: 0xf3a9d6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf3aa2d Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf3a9d6 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf3a325 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf3a2f2 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf3a2f2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf3a9d6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 16:05:45 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 16:05:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1e00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 16:05:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 16:05:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1e00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 16:05:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e00 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 16:43:52 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-2 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x514 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 16:43:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x107f8a4 Linked Logon ID: 0x107f8bc Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x514 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 16:43:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x107f8bc Linked Logon ID: 0x107f8a4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x514 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 16:43:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x107f8a4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 16:43:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x107f8bc Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 16:43:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 16:43:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12545 | 2017-01-10 16:43:56 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x482d6 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x19b4 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:22 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x890 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:22 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x890 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x10a6941 Linked Logon ID: 0x10a6973 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x10a6973 Linked Logon ID: 0x10a6941 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x10a6b7a Linked Logon ID: 0x10a6bc3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x10a6bc3 Linked Logon ID: 0x10a6b7a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6bc3 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6b7a Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x10a6941 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x10a6b7a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x890 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x890 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-10 19:32:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1a04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1a04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1a04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1a04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:32:33 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:33:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6973 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x153c Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:35:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6973 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:35:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6973 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:35:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6973 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:35:23 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6973 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-10 19:35:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6973 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1054 Process Name: C:\Windows\explorer.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:47:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6973 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1644 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 19:47:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6973 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1644 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 19:56:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 19:56:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 19:56:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 19:56:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-10 20:54:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2418 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 20:54:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2418 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 20:55:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2418 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 20:55:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2418 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 21:06:25 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 21:06:25 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 22:13:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x56c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 22:13:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x56c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 22:14:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x56c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-10 22:14:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x56c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-10 23:10:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13568 | 2017-01-10 23:10:33 | | Microsoft-Windows-Security-Auditing | 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x193ffcf
|
| | Security | Audit Success | 13568 | 2017-01-10 23:10:33 | | Microsoft-Windows-Security-Auditing | 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x193ffcf
|
| | Security | Audit Success | 13568 | 2017-01-10 23:10:35 | | Microsoft-Windows-Security-Auditing | 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x194b8c5
|
| | Security | Audit Success | 13568 | 2017-01-10 23:10:35 | | Microsoft-Windows-Security-Auditing | 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x3f4 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x194b8c5
|
| | Security | Audit Success | 12544 | 2017-01-10 23:10:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 23:10:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-10 23:15:21 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-3 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1770 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-10 23:15:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x1aba159 Linked Logon ID: 0x1aba17b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1770 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-10 23:15:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x1aba17b Linked Logon ID: 0x1aba159 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1770 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-10 23:15:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x1aba159 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-10 23:15:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x1aba17b Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12545 | 2017-01-10 23:15:22 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x10a6973 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2017-01-11 07:16:45 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x854 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:16:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:16:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:16:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:16:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:17:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1fdc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:17:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1fdc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:17:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1fdc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:17:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1fdc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:19:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1580 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:19:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1580 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:19:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0x9ac Process Name: C:\Windows\System32\CompatTelRunner.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 07:19:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 07:19:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 07:20:13 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1580 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:20:13 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1580 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1ba3e3f Linked Logon ID: 0x1ba3e6e Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1ba3e6e Linked Logon ID: 0x1ba3e3f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1ba40cb Linked Logon ID: 0x1ba40f9 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1ba40f9 Linked Logon ID: 0x1ba40cb Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1ba40f9 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1ba40cb Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1ba3e3f Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1ba40cb Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-11 07:21:10 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:16 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1ba3e6e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:16 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1ba3e6e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:16 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1ba3e6e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2300 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2300 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2300 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:21:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2300 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:19 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-4 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x51c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x1be144c Linked Logon ID: 0x1be146f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x51c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:21:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x1be146f Linked Logon ID: 0x1be144c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x51c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 07:21:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x1be144c Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 07:21:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x1be146f Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12545 | 2017-01-11 07:21:22 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1ba3e6e This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2017-01-11 07:25:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:35 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:35 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1c09e84 Linked Logon ID: 0x1c09eb3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1c09eb3 Linked Logon ID: 0x1c09e84 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1c0a06a Linked Logon ID: 0x1c0a0b2 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1c0a0b2 Linked Logon ID: 0x1c0a06a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12545 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c0a0b2 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c0a06a Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1c09e84 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1c0a06a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-11 07:26:47 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:48 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:48 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:48 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:26:49 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:50 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:50 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:50 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:50 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:50 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 07:26:51 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 12544 | 2017-01-11 07:27:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09e84 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:27:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09e84 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:27:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09e84 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-11 07:31:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x648 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 07:31:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 07:31:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 07:34:54 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:34:54 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:34:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:34:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:34:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:34:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:36:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:36:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 07:36:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-11 07:41:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x214c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 07:41:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x214c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 07:45:09 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 07:45:09 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 08:03:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 08:03:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 08:21:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 08:21:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 08:39:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 08:39:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13569 | 2017-01-11 08:39:46 | | Microsoft-Windows-Security-Auditing | 4717: System security access was granted to an account. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Account Modified: Account Name: S-1-5-21-2377419948-2109103339-2207952465-1002 Access Granted: Access Right: SeInteractiveLogonRight
|
| | Security | Audit Success | 13826 | 2017-01-11 08:39:46 | | Microsoft-Windows-Security-Auditing | 4731: A security-enabled local group was created. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 New Group: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1002 Group Name: __vmware__ Group Domain: RAZER Attributes: SAM Account Name: __vmware__ SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-11 08:39:46 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1002 Group Name: __vmware__ Group Domain: RAZER Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-11 08:40:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 08:40:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 08:40:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 08:40:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 09:33:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 09:33:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 09:33:32 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x84c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 09:34:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 09:34:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x24d457c Linked Logon ID: 0x24d45af Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x24d45af Linked Logon ID: 0x24d457c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x24d4c17 Linked Logon ID: 0x24d4c70 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x24d4c70 Linked Logon ID: 0x24d4c17 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x24d4c70 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x24d4c17 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x24d45af Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x24d457c Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x24d457c Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x24d4c17 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 09:37:07 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 09:37:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2768 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 09:37:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2768 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 09:37:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2768 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 09:37:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2768 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 09:41:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 09:41:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 09:54:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 09:54:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 09:56:50 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1adc Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12545 | 2017-01-11 10:20:56 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1c09eb3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-11 10:20:57 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-11 10:21:12 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ac New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-11 10:21:12 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x21c New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-11 10:21:12 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-11 10:21:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-11 10:21:14 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x33c New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x29c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x398 New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3d4 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x29c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x13c New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x398 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x200 New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x398 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c4 New Process Name: ????????????????-??6??4?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3d4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bc New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3d4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-11 10:21:15 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9bd3
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x200 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x106ad Linked Logon ID: 0x106c9 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x200 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x106c9 Linked Logon ID: 0x106ad Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x200 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x106ad Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x106c9 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x67c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x67c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 10:21:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x28764 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:21:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:21:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 10:21:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 10:21:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12292 | 2017-01-11 10:21:28 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-11 10:21:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 10:21:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12290 | 2017-01-11 10:23:20 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-11 10:23:20 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-11 10:23:20 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:23:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-11 10:23:21 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1730 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 10:23:21 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1730 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6b9f9 Linked Logon ID: 0x6ba37 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6ba37 Linked Logon ID: 0x6b9f9 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6be99 Linked Logon ID: 0x6bee5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6bee5 Linked Logon ID: 0x6be99 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6bee5 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6be99 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6b9f9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6be99 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 10:23:22 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:24 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 10:23:31 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6b9f9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6b9f9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 10:23:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6b9f9 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-11 10:24:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2070 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 10:24:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2070 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 10:24:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2070 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 10:24:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2070 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 10:24:35 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e28 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 10:25:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:25:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-11 10:25:30 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 10:25:30 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 10:25:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:25:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 10:26:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:26:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 10:31:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1bcc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 10:31:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1bcc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 10:31:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1bcc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 10:31:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1bcc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 10:33:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:33:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 10:38:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x11ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 10:38:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x11ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 10:48:25 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 10:48:25 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 11:32:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 11:32:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-11 11:49:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2458 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:49:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2458 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:49:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2458 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:49:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2458 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:49:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:49:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:49:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:49:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x4bc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 11:49:36 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 11:49:36 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 11:51:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-11 11:51:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d2c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:51:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d2c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:51:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d2c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:51:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d2c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:51:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:51:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:51:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:51:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:57:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2348 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:57:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2348 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:57:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2348 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:57:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2348 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 11:57:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2154 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 12:47:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1918 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 12:47:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1918 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 12:47:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1918 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 12:47:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1918 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe6764 Linked Logon ID: 0xbe6797 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe6797 Linked Logon ID: 0xbe6764 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe6ccc Linked Logon ID: 0xbe6e88 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe6e88 Linked Logon ID: 0xbe6ccc Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xbe6e88 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xbe6ccc Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xbe6797 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xbe6764 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe6764 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xbe6ccc Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 12:56:53 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 12:56:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x277c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 12:56:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x277c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 12:56:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x277c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 12:56:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x277c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 13:33:21 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 13:33:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 13:33:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 13:34:00 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 13:34:00 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 13:34:00 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-11 14:36:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1630 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 14:36:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1630 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 14:36:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1630 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 14:36:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1630 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 15:03:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:03:27 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:03:29 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:03:29 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:03:54 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:03:54 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:03:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:03:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:03:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-11 15:05:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2550 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:05:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2550 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:05:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x588 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:05:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2550 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:05:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2550 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x118d91c Linked Logon ID: 0x118d94f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x118d94f Linked Logon ID: 0x118d91c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x118dd28 Linked Logon ID: 0x118dde4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x118dde4 Linked Logon ID: 0x118dd28 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x118dde4 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x118d94f Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x118dd28 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x118d91c Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x118d91c Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x118dd28 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2018 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:29:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2018 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:29:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2018 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:29:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2018 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 15:38:57 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 15:38:57 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:41:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x27ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:41:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x27ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:41:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x27ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:41:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x27ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 15:41:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2628 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1353310 Linked Logon ID: 0x1353343 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1353343 Linked Logon ID: 0x1353310 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1353788 Linked Logon ID: 0x135389d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x135389d Linked Logon ID: 0x1353788 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x135389d Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1353788 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1353343 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1353310 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1353310 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1353788 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x24c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 16:15:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x24c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 16:15:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x24c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 16:15:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x24c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 16:37:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-2 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x7b0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 16:37:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x144e462 Linked Logon ID: 0x144e48d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x7b0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 16:37:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x144e48d Linked Logon ID: 0x144e462 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x7b0 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 16:37:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x144e462 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 16:37:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x144e48d Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12545 | 2017-01-11 16:37:55 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6ba37 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2017-01-11 19:16:32 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x16c0 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 19:17:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 19:17:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x14caa21 Linked Logon ID: 0x14caa50 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x14caa50 Linked Logon ID: 0x14caa21 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x14cac96 Linked Logon ID: 0x14cacc4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x14cacc4 Linked Logon ID: 0x14cac96 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1bc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x14cacc4 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x14cac96 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x14caa21 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x14cac96 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-11 19:19:06 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:12 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1794 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1794 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1794 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1794 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:19:59 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x14caa50 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x19d8 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:32:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x24b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:32:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x24b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:32:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x24b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:32:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x24b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:34:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x14caa50 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:34:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x14caa50 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:35:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x19d0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:35:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x19d0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:35:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x19d0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 19:35:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x19d0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 19:42:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 19:42:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 19:42:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 19:42:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 19:42:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 19:42:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x560 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x320 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x684 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_macromed_flash_853cbcf10f17f618.cdf-ms Handle ID: 0x62c Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x320 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_macromed_flash_5ff3bc7496f0271e.cdf-ms Handle ID: 0x560 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\activex.vch Handle ID: 0x62c Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\Flash.ocx Handle ID: 0x684 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.dll Handle ID: 0x680 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe Handle ID: 0x5e0 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\activex.vch Handle ID: 0x624 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx Handle ID: 0x640 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\FlashUtil_ActiveX.dll Handle ID: 0x678 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 19:42:25 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\FlashUtil_ActiveX.exe Handle ID: 0x568 Process Information: Process ID: 0x22dc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.350_none_43278ee965418581\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 12544 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:42:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xb10 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 19:45:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 19:45:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 19:47:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 19:47:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 19:47:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 19:47:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 19:48:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 19:48:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 19:48:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 19:48:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-11 19:48:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19a0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:48:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19a0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:48:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19a0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:48:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19a0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:48:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19a0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:48:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19a0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:48:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19a0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 19:48:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19a0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:13:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x104c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:13:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x104c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:13:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x104c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:13:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x104c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 20:14:33 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 20:14:33 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:17:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x694 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:17:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x694 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:18:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x694 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:18:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x694 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:18:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1c50 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:18:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1c50 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:21:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1c50 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:21:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1c50 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:21:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x27c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:21:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x27c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 20:22:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 20:22:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12288 | 2017-01-11 20:22:55 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5cc Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-11T13:22:53.677670500Z New Time: 2017-01-11T13:22:55.849286100Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-11 20:22:55 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5cc Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-11T13:22:55.849072400Z New Time: 2017-01-11T13:22:55.848000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-11 20:22:55 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5cc Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-11T13:22:55.849812300Z New Time: 2017-01-11T13:22:55.847000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 13824 | 2017-01-11 20:24:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x27c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 20:24:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x27c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 21:34:22 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1ce0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 21:34:22 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1ce0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 21:34:45 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1ce0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-11 21:34:45 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1ce0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-11 22:12:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-11 22:12:33 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x14caa50 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 12548 | 2017-01-11 22:12:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1c4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-11 22:14:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\PCAT\bootmgr Handle ID: 0x5c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVClient.exe Handle ID: 0x68 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lsasrv.dll Handle ID: 0x6c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntoskrnl.exe Handle ID: 0x70 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\securekernel.exe Handle ID: 0x74 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\cng.sys Handle ID: 0x78 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x78 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x78 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x7c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms Handle ID: 0x80 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_b001352a7f7811a4.cdf-ms Handle ID: 0x84 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_netswitchteam_11ad3eda0a2aa874.cdf-ms Handle ID: 0x88 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_netlbfo_80fc9ece463f45fa.cdf-ms Handle ID: 0x8c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_appvclient_6909a212b041e3a8.cdf-ms Handle ID: 0x8c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_drivers_193c6528ad70a5e7.cdf-ms Handle ID: 0x8c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_0307ca33e1cd9708.cdf-ms Handle ID: 0x90 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.shellcommon_0eb1b891774fd848.cdf-ms Handle ID: 0x90 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.shell_ed9cce24fb22aa2f.cdf-ms Handle ID: 0x94 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingshandlers-nt_7298028ee386990a.cdf-ms Handle ID: 0x98 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingshandlers-nt_pris_71a69ceed5129daa.cdf-ms Handle ID: 0x9c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_0b97cbddb6bef8ee.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_systemsettings_6f826ed139dc38ac.cdf-ms Handle ID: 0xa0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_systemsettings_assets_b04b2dbada91ba13.cdf-ms Handle ID: 0xa4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_systemsettings_assets_fonts_e1429b15bb7a603f.cdf-ms Handle ID: 0xa8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_pris_c69f4420e8b9ac96.cdf-ms Handle ID: 0xac Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.pcshell_f32245a82a039128.cdf-ms Handle ID: 0xa4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.logon_ed8ece16fb61b4e6.cdf-ms Handle ID: 0xb0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.devicesflow_ec484b3fd5ac3a18.cdf-ms Handle ID: 0xb0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.devicesflow_pris_adf81a7b08cd359a.cdf-ms Handle ID: 0xb4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.cred_bcedbcd156367aa9.cdf-ms Handle ID: 0xb8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.blockedshutdown_d158b688ceb68e8d.cdf-ms Handle ID: 0xbc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.biofeedback_43050837db14ffaa.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.applicationmodel.lockscreen_d0e0107729c97a93.cdf-ms Handle ID: 0xbc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_shellexperiencehost_cw5n1h2txyewy_e21c90d9487ed242.cdf-ms Handle ID: 0xbc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_shellexperiencehost_cw5n1h2txyewy_pris_3818bc2422f945c8.cdf-ms Handle ID: 0xbc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_shellexperiencehost_cw5n1h2txyewy_assets_7b05f0549cbec22d.cdf-ms Handle ID: 0xbc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy_5c9bcd2fbb5568e6.cdf-ms Handle ID: 0xc0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy_pris_4411c1f8ffbde214.cdf-ms Handle ID: 0xc4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy_assets_2482c5a7df075309.cdf-ms Handle ID: 0xcc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.secondarytileexperience_cw5n1h2txyewy_feeb4934c04ce9fd.cdf-ms Handle ID: 0xcc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_2d6b8920d3f31e0d.cdf-ms Handle ID: 0xd0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_views_a56f518aba6f0a4b.cdf-ms Handle ID: 0xd0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_views_reactivecat1_9c058eadb68b9deb.cdf-ms Handle ID: 0xd4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_remindersui_b209622a1e713dc6.cdf-ms Handle ID: 0xd8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_remindersui_views_d0db2406281bb392.cdf-ms Handle ID: 0xdc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_places_views_57c50445e88e53df.cdf-ms Handle ID: 0xe0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_places_usercontrols_2a3573c7d77db6a8.cdf-ms Handle ID: 0xe4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_places_usercontrols_view_1e6f83bb23e0c6c9.cdf-ms Handle ID: 0xe4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_personpicture_themes_61d9e2a6d178d0d8.cdf-ms Handle ID: 0xe8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy_29da24b0fd93bf69.cdf-ms Handle ID: 0xec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy_pris_739c1e49050f5c39.cdf-ms Handle ID: 0xec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy_assets_c21827d4b5b1e098.cdf-ms Handle ID: 0xf0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.ppiprojection_cw5n1h2txyewy_ffa89c1a94ba2c74.cdf-ms Handle ID: 0xf0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.ppiprojection_cw5n1h2txyewy_pris_876d294ca326b93c.cdf-ms Handle ID: 0xf4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.ppiprojection_cw5n1h2txyewy_assets_9a1e058120f82961.cdf-ms Handle ID: 0xf8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_43d095bdcce4e130.cdf-ms Handle ID: 0xf8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_pris_4719a634d2c04eec.cdf-ms Handle ID: 0xf8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_f8075bc7ad02362b.cdf-ms Handle ID: 0xfc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_webnotes_febc6b7abccb2874.cdf-ms Handle ID: 0x100 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_persona_4fd2132d4ad15439.cdf-ms Handle ID: 0x100 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_fonts_206f147a74e786c9.cdf-ms Handle ID: 0x100 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_errorpages_73ec08ffb6105e23.cdf-ms Handle ID: 0x100 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.lockapp_cw5n1h2txyewy_6f26550558264bb4.cdf-ms Handle ID: 0x104 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.lockapp_cw5n1h2txyewy_assets_e61eed4a8582e20d.cdf-ms Handle ID: 0x108 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.accountscontrol_cw5n1h2txyewy_fc38de406c5c8223.cdf-ms Handle ID: 0x10c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.aad.brokerplugin_cw5n1h2txyewy_d48a5fb790740a92.cdf-ms Handle ID: 0x10c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.aad.brokerplugin_cw5n1h2txyewy_css_af32787f971fc4dd.cdf-ms Handle ID: 0x10c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.aad.brokerplugin_cw5n1h2txyewy_assets_4318eb5d347aa2b1.cdf-ms Handle ID: 0x110 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0xd8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x110 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x110 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_netswitchteam_c23a4af35d296eac.cdf-ms Handle ID: 0x110 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_netlbfo_dfa61a2ec6bf8e00.cdf-ms Handle ID: 0x110 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_appvclient_f101ca87a5fad6fc.cdf-ms Handle ID: 0x114 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_winbioplugins_071a28c5b510fb6a.cdf-ms Handle ID: 0x114 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x118 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spp_plugin-manifests-signed_d1e9d31c180bebd2.cdf-ms Handle ID: 0x11c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_smi_06656483d047b9b9.cdf-ms Handle ID: 0x128 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_smi_schema_b445cd341d59fadc.cdf-ms Handle ID: 0x11c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_smi_manifests_0e3cdef1f9ad7c5f.cdf-ms Handle ID: 0x120 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_oobe_06655c95df2fa06f.cdf-ms Handle ID: 0x120 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_2650d8d30fee1fe9.cdf-ms Handle ID: 0x120 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_dlmanifests_f1386c432966667b.cdf-ms Handle ID: 0x124 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_dlmanifests_microsoft-windows-msmq-messagingcoreservice_a2ca72db0bdebee3.cdf-ms Handle ID: 0x128 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_dlmanifests_microsoft-windows-iis-dl_8822f736d253acda.cdf-ms Handle ID: 0x12c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0x130 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_shellexperiences_2912c63bd045ac45.cdf-ms Handle ID: 0x130 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cc9458acec1840ff.cdf-ms Handle ID: 0x124 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_packages_e07c8f8a91f541c4.cdf-ms Handle ID: 0x134 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_policydefinitions_89130cdfc4d9c27c.cdf-ms Handle ID: 0x134 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_policydefinitions_en-us_3b1c5b998da0d4ae.cdf-ms Handle ID: 0x134 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0x134 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_1e6ccf0e6a91b570.cdf-ms Handle ID: 0x134 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_systemsettings_d76332102e6a9a22.cdf-ms Handle ID: 0xc4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_systemsettings_view_34ee44a07ef70449.cdf-ms Handle ID: 0x134 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_systemsettings_assets_6ba5b2461d9725af.cdf-ms Handle ID: 0x134 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_pris_a05890fcf353f1d8.cdf-ms Handle ID: 0x134 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_images_2e6232377292b2dc.cdf-ms Handle ID: 0x134 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_40104b85a18bfcb2.cdf-ms Handle ID: 0x134 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_pcat_0f8924c0debe64e4.cdf-ms Handle ID: 0xc4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_pcat_sr-latn-cs_958c186763eec988.cdf-ms Handle ID: 0x138 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_pcat_qps-ploc_109d95b40d3e11cb.cdf-ms Handle ID: 0x138 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_efi_0f890f82be247f42.cdf-ms Handle ID: 0x138 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_efi_sr-latn-cs_175a53dc497f4774.cdf-ms Handle ID: 0x13c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_efi_qps-ploc_24e8203102ababf9.cdf-ms Handle ID: 0x140 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_dvd_efi_de3c4ceb52549e1c.cdf-ms Handle ID: 0x140 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_dvd_efi_en-us_8245c3aed97c0844.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users.cdf-ms Handle ID: 0x144 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_8c076a3be22985a1.cdf-ms Handle ID: 0x144 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_73615b64075aa65f.cdf-ms Handle ID: 0x144 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_sendto_cc2b2363b7303311.cdf-ms Handle ID: 0x144 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x148 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x148 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_provisioning_929be8282aecbf17.cdf-ms Handle ID: 0x14c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_appv_setup_c6b9e738c86ef84a.cdf-ms Handle ID: 0x150 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86_internet_explorer_cafab575245eacb0.cdf-ms Handle ID: 0x150 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_3e33901162166ae9.cdf-ms Handle ID: 0x154 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_internet_explorer_a421d1bfaf856e2b.cdf-ms Handle ID: 0x158 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_d7a65bb2f0e854e7.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_818c5a0e45020fba.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_languagemodel_ccceb944834c6c97.cdf-ms Handle ID: 0x160 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_92b215ec670a7f35.cdf-ms Handle ID: 0x160 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_symbols_4eaf815d64e8ecbc.cdf-ms Handle ID: 0x164 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_oskpred_4ada71c56aba89ef.cdf-ms Handle ID: 0x164 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_osknumpad_ee37ed195958108b.cdf-ms Handle ID: 0x164 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_osknav_bb31da33c2376c77.cdf-ms Handle ID: 0x168 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_oskmenu_4ada925d6aba5911.cdf-ms Handle ID: 0x16c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_oskclearui_efb22b63342a179d.cdf-ms Handle ID: 0x16c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_main_992db4c6307e339e.cdf-ms Handle ID: 0x170 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_keypad_bb29f287c24d4a93.cdf-ms Handle ID: 0x170 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_insert_bb25e7d5c2685e4a.cdf-ms Handle ID: 0x170 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_fsdefinitions_auxpad_bb15ebb5c2b76782.cdf-ms Handle ID: 0x170 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll Handle ID: 0xc8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Internet Explorer\IEShims.dll Handle ID: 0x17c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files (x86)\Internet Explorer\IEShims.dll Handle ID: 0x17c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\DVD\EFI\en-US\efisys.bin Handle ID: 0x174 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\DVD\EFI\en-US\efisys_noprompt.bin Handle ID: 0x17c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\EFI\qps-ploc\memtest.efi.mui Handle ID: 0x180 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\EFI\sr-Latn-CS\memtest.efi.mui Handle ID: 0x184 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\PCAT\qps-ploc\bootmgr.exe.mui Handle ID: 0x188 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\PCAT\qps-ploc\memtest.exe.mui Handle ID: 0x18c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\PCAT\sr-Latn-CS\bootmgr.exe.mui Handle ID: 0x190 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\PCAT\sr-Latn-CS\memtest.exe.mui Handle ID: 0x194 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\SystemSettings.dll Handle ID: 0x198 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll Handle ID: 0x1a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\Telemetry.Desktop.dll Handle ID: 0x1a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\apps.inf Handle ID: 0x1a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PolicyDefinitions\WindowsUpdate.admx Handle ID: 0x1a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PolicyDefinitions\en-US\WindowsUpdate.adml Handle ID: 0x1a4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Microsoft-Common-Provisioning.dat Handle ID: 0x1a8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Microsoft-Desktop-Provisioning.dat Handle ID: 0x1b0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.Control.ppkg Handle ID: 0x1b4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.CPU.ppkg Handle ID: 0x1bc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.Display.ppkg Handle ID: 0x1c0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.MBB.ppkg Handle ID: 0x1b0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.StandbyActivation.ppkg Handle ID: 0x1c0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.Storage.ppkg Handle ID: 0x1c0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.Telemetry.ppkg Handle ID: 0x1c4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.Wifi.ppkg Handle ID: 0x1c4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.Settings.Battery.ppkg Handle ID: 0x1c4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.Settings.Button.ppkg Handle ID: 0x1c8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.Settings.Disk.ppkg Handle ID: 0x1c8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.Settings.Display.ppkg Handle ID: 0x1c8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.Settings.EnergySaver.ppkg Handle ID: 0x1cc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.Settings.IdleResiliency.ppkg Handle ID: 0x1cc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.Settings.PCIExpress.ppkg Handle ID: 0x1cc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.Settings.Processor.ppkg Handle ID: 0x1d0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Packages\Power.Settings.Sleep.ppkg Handle ID: 0x1d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\ClockFlyoutExperience.dll Handle ID: 0x1d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\InputDial.dll Handle ID: 0x1dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\JumpViewUI.dll Handle ID: 0x1e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:44 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\MtcUvc.dll Handle ID: 0x1e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\PenWorkspace.dll Handle ID: 0x1ec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\QuickActions.dll Handle ID: 0x1e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\QuickConnectUI.dll Handle ID: 0x1e8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\SharePickerUI.dll Handle ID: 0x1ec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\StartUI.dll Handle ID: 0x1f0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\Windows.UI.ActionCenter.dll Handle ID: 0x1f0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\aadcloudap.dll Handle ID: 0x1ec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\aadtb.dll Handle ID: 0x1f4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\aclui.dll Handle ID: 0x1ec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\aeinv.dll Handle ID: 0x1ec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVCatalog.dll Handle ID: 0x1f4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVDllSurrogate.exe Handle ID: 0x1f0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVEntStreamingManager.dll Handle ID: 0x1ec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVEntSubsystemController.dll Handle ID: 0x1e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVEntSubsystems64.dll Handle ID: 0x1e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVEntVirtualization.dll Handle ID: 0x1ec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVIntegration.dll Handle ID: 0x1d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVManifest.dll Handle ID: 0x1d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVOrchestration.dll Handle ID: 0x1d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVPolicy.dll Handle ID: 0x1d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVPublishing.dll Handle ID: 0x1f8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVReporting.dll Handle ID: 0x1d8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVScripting.dll Handle ID: 0x1fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppVShNotify.exe Handle ID: 0x1fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXDeploymentExtensions.onecore.dll Handle ID: 0x1fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXDeploymentServer.dll Handle ID: 0x1d8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AudioEndpointBuilder.dll Handle ID: 0x1d0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AudioEng.dll Handle ID: 0x1d0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AUDIOKSE.dll Handle ID: 0x1d0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AudioSes.dll Handle ID: 0x1d0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\audiosrv.dll Handle ID: 0x200 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AzureSettingSyncProvider.dll Handle ID: 0x1cc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\certprop.dll Handle ID: 0x210 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Chakra.dll Handle ID: 0x210 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ClipUp.exe Handle ID: 0x1c8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cloudAP.dll Handle ID: 0x1c0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\CloudBackupSettings.dll Handle ID: 0x1bc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\CloudExperienceHost.dll Handle ID: 0x1b8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ConsoleLogon.dll Handle ID: 0x1b4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cryptui.dll Handle ID: 0x1c4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\d2d1.dll Handle ID: 0x1c4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\D3D12.dll Handle ID: 0x1a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\D3DCompiler_47.dll Handle ID: 0x1c4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DeveloperOptionsSettingsHandlers.dll Handle ID: 0x1a8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\domgmt.dll Handle ID: 0x1ac Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dosvc.dll Handle ID: 0x204 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\edgehtml.dll Handle ID: 0x194 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\fhcfg.dll Handle ID: 0x204 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\fhsettingsprovider.dll Handle ID: 0x208 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ie4uinit.exe Handle ID: 0x204 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ImplatSetup.dll Handle ID: 0x1ac Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\indexeddbserver.dll Handle ID: 0x198 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\InstallAgent.exe Handle ID: 0x1ac Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\InstallAgentUserBroker.exe Handle ID: 0x208 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\kerberos.dll Handle ID: 0x20c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\KnobsCore.dll Handle ID: 0x20c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\KnobsCsp.dll Handle ID: 0x194 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LaunchWinApp.exe Handle ID: 0x194 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LogonController.dll Handle ID: 0x194 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MCRecvSrc.dll Handle ID: 0x218 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfasfsrcsnk.dll Handle ID: 0x208 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfcore.dll Handle ID: 0x220 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfmp4srcsnk.dll Handle ID: 0x228 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfmpeg2srcsnk.dll Handle ID: 0x228 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfnetcore.dll Handle ID: 0x22c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfnetsrc.dll Handle ID: 0x230 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mshtml.dll Handle ID: 0x234 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msmpeg2vdec.dll Handle ID: 0x234 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mspaint.exe Handle ID: 0x238 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mstscax.dll Handle ID: 0x238 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msv1_0.dll Handle ID: 0x238 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MSVP9DEC.dll Handle ID: 0x238 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MSVPXENC.dll Handle ID: 0x238 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\offlinesam.dll Handle ID: 0x234 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\OneBackupHandler.dll Handle ID: 0x23c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provengine.dll Handle ID: 0x23c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ProvPluginEng.dll Handle ID: 0x23c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpcore.dll Handle ID: 0x23c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpcorets.dll Handle ID: 0x198 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpencom.dll Handle ID: 0x244 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpudd.dll Handle ID: 0x244 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:45 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\remoteaudioendpoint.dll Handle ID: 0x198 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\samsrv.dll Handle ID: 0x240 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ScDeviceEnum.dll Handle ID: 0x248 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_nt.dll Handle ID: 0x240 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingSyncCore.dll Handle ID: 0x248 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingSyncHost.exe Handle ID: 0x248 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\shell32.dll Handle ID: 0x250 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppobjs.dll Handle ID: 0x250 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SRH.dll Handle ID: 0x25c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SRHInproc.dll Handle ID: 0x240 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\StoreAgent.dll Handle ID: 0x204 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SyncSettings.dll Handle ID: 0x240 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TransportDSA.dll Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\twinui.dll Handle ID: 0x260 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\updatehandlers.dll Handle ID: 0x264 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\updatepolicy.dll Handle ID: 0x264 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\usocore.dll Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbiosrvc.dll Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32k.sys Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32kbase.sys Handle ID: 0x27c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32kfull.sys Handle ID: 0x278 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.ApplicationModel.LockScreen.dll Handle ID: 0x280 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Internal.UI.Logon.ProxyStub.dll Handle ID: 0x284 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.dll Handle ID: 0x288 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Storage.ApplicationData.dll Handle ID: 0x288 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.BioFeedback.dll Handle ID: 0x290 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.BlockedShutdown.dll Handle ID: 0x298 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.CredDialogController.dll Handle ID: 0x2a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.Logon.dll Handle ID: 0x2a4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.Shell.dll Handle ID: 0x2b0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.Xaml.dll Handle ID: 0x2b0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.Xaml.Resources.dll Handle ID: 0x2b8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winlogon.exe Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winmde.dll Handle ID: 0x2b4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinSCard.dll Handle ID: 0x2c0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winsrv.dll Handle ID: 0x2c0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wow64.dll Handle ID: 0x2cc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wuapi.dll Handle ID: 0x2cc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wuaueng.dll Handle ID: 0x2d0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wuuhext.dll Handle ID: 0x2dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-IIS-DL\iismig.dll Handle ID: 0x2e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\oobe\msoobe.exe Handle ID: 0x2e8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\oobe\msoobedui.dll Handle ID: 0x2ec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\plugin-manifests-signed\sppobjs-spp-plugin-manifest-signed.xrm-ms Handle ID: 0x2f4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\DMWmiBridgeProv.dll Handle ID: 0x2f4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\DMWmiBridgeProv.mof Handle ID: 0x2fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\ndisimplatcim.dll Handle ID: 0x304 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\netswitchteamcim.dll Handle ID: 0x304 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceRecognitionEngineAdapter.dll Handle ID: 0x308 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceRecognitionEngineAdapterResources.dll Handle ID: 0x30c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceRecognitionSensorAdapter.dll Handle ID: 0x310 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppvClientComConsumer.dll Handle ID: 0x314 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AAD.Core.dll Handle ID: 0x304 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe Handle ID: 0x314 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AppxBlockMap.xml Handle ID: 0x310 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AppxManifest.xml Handle ID: 0x318 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AppxSignature.p7x Handle ID: 0x31c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\resources.pri Handle ID: 0x320 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eData.dll Handle ID: 0x300 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll Handle ID: 0x324 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eModel.dll Handle ID: 0x328 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eView.dll Handle ID: 0x32c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe Handle ID: 0x330 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\resources.pri Handle ID: 0x324 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\resources.pri Handle ID: 0x324 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\App.xbf Handle ID: 0x330 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\MainPage.xbf Handle ID: 0x334 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\resources.pri Handle ID: 0x338 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ActionUriServer.exe Handle ID: 0x33c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\App.xbf Handle ID: 0x33c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppxBlockMap.xml Handle ID: 0x340 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppxManifest.xml Handle ID: 0x344 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppxSignature.p7x Handle ID: 0x324 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\BingLocalSearchService.dll Handle ID: 0x348 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CGSVCBackgroundTask.dll Handle ID: 0x34c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ContactPermissionsActionUriHandlers.dll Handle ID: 0x34c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll Handle ID: 0x34c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.ActionUriHandlers.dll Handle ID: 0x34c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.AppToApp.dll Handle ID: 0x2f4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll Handle ID: 0x350 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.ContactPermissions.dll Handle ID: 0x350 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll Handle ID: 0x354 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.DoNotDisturb.dll Handle ID: 0x354 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Dss.BackgroundTask.dll Handle ID: 0x354 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.IntentExtraction.dll Handle ID: 0x358 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.LocalSearch.dll Handle ID: 0x35c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Nodewinrtwrap.dll Handle ID: 0x358 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:46 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Places.ViewModels.dll Handle ID: 0x358 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Signals.dll Handle ID: 0x358 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SPA.dll Handle ID: 0x358 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll Handle ID: 0x358 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaMusicSearch.dll Handle ID: 0x35c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSpeechux.dll Handle ID: 0x360 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll Handle ID: 0x364 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\DeviceSideServicesActionUriHandler.dll Handle ID: 0x364 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Dictionary.devicefamily-desktop.xbf Handle ID: 0x368 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Dictionary.devicefamily-xbox.xbf Handle ID: 0x368 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Dictionary.xbf Handle ID: 0x36c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\DNDActionUriHandlers.dll Handle ID: 0x36c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\microsoft.bing.client.graph.dll Handle ID: 0x368 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\node.dll Handle ID: 0x36c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\OnlineServices.dll Handle ID: 0x370 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PhonePCVoiceAgents.dll Handle ID: 0x370 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesServer.exe Handle ID: 0x370 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ReactiveAgentsCommon.dll Handle ID: 0x370 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ReminderActionUriHandlers.dll Handle ID: 0x374 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe Handle ID: 0x378 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll Handle ID: 0x374 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesBackgroundTasks.dll Handle ID: 0x378 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesService.dll Handle ID: 0x364 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SAPIBackgroundTask.dll Handle ID: 0x37c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Handle ID: 0x380 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SharedVoiceAgents.dll Handle ID: 0x378 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ShellActionUriHandlers.dll Handle ID: 0x384 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\TextEntityExtractorProxy.dll Handle ID: 0x384 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\tws.dll Handle ID: 0x388 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\VadSharedVoiceAgents.dll Handle ID: 0x388 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\VoiceAgentsCommon.dll Handle ID: 0x388 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PersonPicture\Themes\Generic.xbf Handle ID: 0x38c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Places\UserControls\FavoriteAddEditForm.xbf Handle ID: 0x390 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Places\UserControls\SearchResultCompactCard.xbf Handle ID: 0x394 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Places\UserControls\View\FavoritesCompactCard.xbf Handle ID: 0x360 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Places\Views\AddFavoritePage.xbf Handle ID: 0x398 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Places\Views\EditFavoritePage.xbf Handle ID: 0x39c Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Places\Views\PlacesExperiencePage.xbf Handle ID: 0x3a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Places\Views\PlacesPage.xbf Handle ID: 0x3a4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI\Reminders.Dictionary.xbf Handle ID: 0x3a8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI\Views\InkNotesItemPage.xbf Handle ID: 0x3ac Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI\Views\LocationTriggerEditor.xbf Handle ID: 0x3ac Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI\Views\ReminderDebugInfoPage.xbf Handle ID: 0x3b0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI\Views\ReminderItemPage.xbf Handle ID: 0x3b4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI\Views\ReminderListItem.Dictionary.xbf Handle ID: 0x3b8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI\Views\RemindersHistoryPage.xbf Handle ID: 0x3bc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI\Views\RemindersHomePage.xbf Handle ID: 0x3c0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI\Views\RemindersShareTargetPage.xbf Handle ID: 0x3c4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI\Views\TimeTriggerEditor.xbf Handle ID: 0x3b8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\AboutMePage.xbf Handle ID: 0x3c8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\AnimatedImage.xbf Handle ID: 0x3cc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\BreakThroughListPage.xbf Handle ID: 0x3cc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\CapabilitiesPrompt.xbf Handle ID: 0x3d0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\Chrome.xbf Handle ID: 0x3d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ChromeVisualStates.xbf Handle ID: 0x3d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\COOBEPage.xbf Handle ID: 0x354 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\COOBEPage_Xbox.xbf Handle ID: 0x3d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\CortanaWindow.xbf Handle ID: 0x3d8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ErrorPage.xbf Handle ID: 0x3d8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\FamilyHostPage.xbf Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\FamilyMemberPage.xbf Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\FamilyNotificationCreationPage.xbf Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\FamilyPage.xbf Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\FlyoutPage.xbf Handle ID: 0x3e8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\FrameHostPage.xbf Handle ID: 0x3ec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\GreetingsControl.xbf Handle ID: 0x3f0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\HomeburgerMenuControl.xbf Handle ID: 0x3f0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\HostedWebViewControl.xbf Handle ID: 0x3f0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\InkNotesHostPage.xbf Handle ID: 0x3f4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\MusicRecoPage.xbf Handle ID: 0x3f8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\NamePronunciationPage.xbf Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\NotebookOfflinePage.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\PrivacySettingsPage.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\QuietHoursPage.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1Control.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1ThemeResources.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\RemindersHostPage.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\RichSearchBoxControl.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\SearchBoxAnimationControl.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\SearchBoxControl.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\SettingsPage.xbf Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\SpeechHelpCategoryDetailPage.xbf Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\SpeechHelpPage.xbf Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\SpeechTextInputControl.xbf Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\SpeechTextInputThemeResources.xbf Handle ID: 0x3f8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\XDeviceSettingsDetailPage.xbf Handle ID: 0x3f8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\XDeviceSettingsMasterPage.xbf Handle ID: 0x3f8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\XDeviceSettingsNotificationForwardingPage.xbf Handle ID: 0x3f8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1\GuiFormDatePicker.xbf Handle ID: 0x3f8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1\GuiFormDatePickerFlyout.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1\GuiFormDaysOfWeekPickerFlyout.xbf Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1\GuiFormImage.xbf Handle ID: 0x3fc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1\GuiFormLabel.xbf Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1\GuiFormListAppLaunch.xbf Handle ID: 0x3f4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1\GuiFormLocationPicker.xbf Handle ID: 0x3f4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1\GuiFormTimePickerFlyout.xbf Handle ID: 0x3f0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1\GuiInkImage.xbf Handle ID: 0x3f0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Views\ReactiveCat1\GuiReminderEntityListView.xbf Handle ID: 0x3f0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\resources.pri Handle ID: 0x3f4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AddressBoxControl.xbf Handle ID: 0x3f0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\App.xbf Handle ID: 0x3ec Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AssessmentPage.xbf Handle ID: 0x3e8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\ErrorPage.xbf Handle ID: 0x3f4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LockdownDialog.xbf Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\NavigationLandingPage.xbf Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\NetworkConnectivityErrorPage.xbf Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\ProgressPage.xbf Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SchemaActivationEmptyPage.xbf Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessment_JSBridge.dll Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessment_Telemetry.dll Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap.xml Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest.xml Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature.p7x Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources.pri Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.ApplicationModel.LockScreen\Windows.ApplicationModel.LockScreen.pri Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.BioFeedback\Windows.UI.BioFeedback.pri Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.BlockedShutdown\Windows.UI.BlockedShutdown.pri Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.Cred\Windows.UI.Cred.pri Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.DevicesFlow\Windows.UI.DevicesFlow.pri Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.Logon\Windows.UI.Logon.pri Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.PCShell\Windows.UI.PCShell.pri Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\Windows.UI.SettingsAppThreshold.pri Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.Shell\Windows.UI.Shell.pri Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.ShellCommon\Windows.UI.ShellCommon.pri Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\aadtb.dll Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:47 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\aclui.dll Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AppVEntSubsystems32.dll Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AUDIOKSE.dll Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AudioSes.dll Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AzureSettingSyncProvider.dll Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Chakra.dll Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Chakradiag.dll Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\CloudBackupSettings.dll Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\cryptui.dll Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\d2d1.dll Handle ID: 0x258 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\D3D12.dll Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\D3DCompiler_47.dll Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\edgehtml.dll Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\indexeddbserver.dll Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\InstallAgent.exe Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\InstallAgentUserBroker.exe Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\kerberos.dll Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\LaunchWinApp.exe Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\LogonController.dll Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MCRecvSrc.dll Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfasfsrcsnk.dll Handle ID: 0x3e0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfcore.dll Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfmp4srcsnk.dll Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfmpeg2srcsnk.dll Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfnetcore.dll Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfnetsrc.dll Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mshtml.dll Handle ID: 0x3e4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msmpeg2vdec.dll Handle ID: 0x3dc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mspaint.exe Handle ID: 0x3d8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mstscax.dll Handle ID: 0x354 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msv1_0.dll Handle ID: 0x3d0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MSVP9DEC.dll Handle ID: 0x3cc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MSVPXENC.dll Handle ID: 0x3d0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\offlinesam.dll Handle ID: 0x3c8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpcore.dll Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpencom.dll Handle ID: 0x3c4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\remoteaudioendpoint.dll Handle ID: 0x3c8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SettingSyncCore.dll Handle ID: 0x3c0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SettingSyncHost.exe Handle ID: 0x3bc Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\shell32.dll Handle ID: 0x3b4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\StoreAgent.dll Handle ID: 0x3b0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SyncSettings.dll Handle ID: 0x3a8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\twinui.dll Handle ID: 0x3ac Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\updatepolicy.dll Handle ID: 0x3a4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\win32k.sys Handle ID: 0x3ac Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\win32kfull.sys Handle ID: 0x274 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.ApplicationModel.LockScreen.dll Handle ID: 0x3a4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Internal.UI.Logon.ProxyStub.dll Handle ID: 0x3a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Media.dll Handle ID: 0x3d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Storage.ApplicationData.dll Handle ID: 0x3a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.BioFeedback.dll Handle ID: 0x3a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.BlockedShutdown.dll Handle ID: 0x3d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.Cred.dll Handle ID: 0x3a0 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.CredDialogController.dll Handle ID: 0x3d4 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.Logon.dll Handle ID: 0x3b8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.Xaml.dll Handle ID: 0x398 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.Xaml.Resources.dll Handle ID: 0x3b8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\winmde.dll Handle ID: 0x360 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WinSCard.dll Handle ID: 0x3b8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wuapi.dll Handle ID: 0x394 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2017-01-11 22:14:48 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppvClientComConsumer.dll Handle ID: 0x3b8 Process Information: Process ID: 0xcb4 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 103 | 2017-01-11 22:15:03 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-12 07:19:03 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 07:19:03 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x224 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-12 07:19:03 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-12 07:19:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x298 New Process Name: ??????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 07:19:06 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x298 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 07:19:07 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x388 New Process Name: ??????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 07:19:07 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x39c New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x298 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 07:19:07 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3fc New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x388 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 07:19:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x388 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-12 07:19:09 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-12 07:19:09 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: ????????????????-??6??c?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x39c Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 07:19:09 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x39c Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-12 07:19:09 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9ed1
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10571 Linked Logon ID: 0x10595 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10595 Linked Logon ID: 0x10571 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10571 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10595 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 07:19:11 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 07:19:12 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x209b8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 07:19:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x608 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 07:19:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x608 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 07:19:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 07:19:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 07:19:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:19:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 07:19:21 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-12 07:19:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x644 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:19:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x644 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:19:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x644 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:19:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x644 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:19:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x15a8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:19:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x15a8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:19:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x15a8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:19:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x15a8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:20:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 07:20:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf8820 Linked Logon ID: 0xf884e Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf884e Linked Logon ID: 0xf8820 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf8a9d Linked Logon ID: 0xf8ace Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf8ace Linked Logon ID: 0xf8a9d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf8ace Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf8a9d Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf8820 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xf8a9d Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-12 07:20:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:20:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:27 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:20:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 07:20:34 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1b5c Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 07:20:34 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1b5c Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 07:20:47 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 07:20:47 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:49 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: EC2AMAZ-8MGC7TQ Additional Information: EC2AMAZ-8MGC7TQ Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: EC2AMAZ-8MGC7TQ Additional Information: EC2AMAZ-8MGC7TQ Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:51 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf8820 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:51 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf8820 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:20:52 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf8820 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:21:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:21:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:21:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 07:21:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:21:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 07:21:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x21b8 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:22:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1b70 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:22:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1b70 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:22:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1b70 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:22:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1b70 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 07:23:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:23:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 07:25:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:25:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 07:25:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0x2504 Process Name: C:\Windows\System32\CompatTelRunner.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 07:29:18 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:29:19 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:29:24 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:29:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:29:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-12 07:29:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x25ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:29:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x25ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:29:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x25ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:29:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x25ac Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 07:30:15 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 07:30:15 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 07:35:16 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:35:18 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:35:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:35:24 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:35:24 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-12 07:35:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1dd0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 07:35:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1dd0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 07:35:33 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:35:33 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-12 07:42:36 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 07:42:36 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 07:42:36 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 07:42:36 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 07:42:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x17ec Process Name: C:\Windows\explorer.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 07:43:48 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: EC2AMAZ-8MGC7TQ Additional Information: EC2AMAZ-8MGC7TQ Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:43:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: EC2AMAZ-8MGC7TQ Additional Information: EC2AMAZ-8MGC7TQ Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:43:58 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:43:58 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:43:58 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 07:50:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:50:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 07:50:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:50:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 07:58:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 07:58:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 08:01:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 08:01:24 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1b88 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1b88 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xef0 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1b88 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1b88 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x825c84 Linked Logon ID: 0x825cb7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x825cb7 Linked Logon ID: 0x825c84 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x826387 Linked Logon ID: 0x8263ea Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8263ea Linked Logon ID: 0x826387 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8263ea Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x826387 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x825cb7 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x825c84 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x825c84 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x826387 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa34 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa34 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa34 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 08:20:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa34 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 08:20:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 08:20:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 08:29:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 08:29:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1980 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1980 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1980 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1980 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1980 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1980 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1980 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 08:29:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1980 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13568 | 2017-01-12 08:29:11 | | Microsoft-Windows-Security-Auditing | 4904: An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1980 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x91d094
|
| | Security | Audit Success | 13568 | 2017-01-12 08:29:11 | | Microsoft-Windows-Security-Auditing | 4905: An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process: Process ID: 0x1980 Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x91d094
|
| | Security | Audit Success | 12544 | 2017-01-12 08:29:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 08:29:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x26e0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x26e0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x10b4 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x26e0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x26e0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 09:20:07 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 09:20:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xca8b52 Linked Logon ID: 0xca8b85 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 09:20:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xca8b85 Linked Logon ID: 0xca8b52 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 09:20:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xca8b52 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:07 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xca9274 Linked Logon ID: 0xca92f5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xca92f5 Linked Logon ID: 0xca9274 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xca92f5 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xca9274 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xca8b85 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xca8b52 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xca9274 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x938 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x938 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x938 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:20:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x938 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:27:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:27:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:27:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:27:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 09:27:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1998 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 09:32:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 09:32:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xedcd78 Linked Logon ID: 0xedcdab Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xedcdab Linked Logon ID: 0xedcd78 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x454 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xedd539 Linked Logon ID: 0xedd5b9 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xedd5b9 Linked Logon ID: 0xedd539 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xedd5b9 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xedd539 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xedcdab Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xedcd78 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xedcd78 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xedd539 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2874 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 10:13:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2874 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 10:13:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2874 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 10:13:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2874 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12545 | 2017-01-12 10:21:09 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xf884e This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-12 10:21:10 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-12 11:44:48 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 11:44:48 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-12 11:44:48 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-12 11:44:49 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 11:44:50 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x384 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x398 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: ????????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x384 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: ????????????????-??6??8?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x398 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x398 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-12 11:44:51 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xa495
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x214 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x110a6 Linked Logon ID: 0x110bd Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x214 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x110bd Linked Logon ID: 0x110a6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x214 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x110a6 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x110bd Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x448 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x628 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x628 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 11:44:54 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12292 | 2017-01-12 11:44:55 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x2925c Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:44:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:44:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4ad63 Linked Logon ID: 0x4ad9f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4ad9f Linked Logon ID: 0x4ad63 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4b23c Linked Logon ID: 0x4b2a5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4b2a5 Linked Logon ID: 0x4b23c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4b2a5 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4b23c Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4ad63 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4b23c Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x120c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x120c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-12 11:45:00 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:45:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 11:45:06 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1a60 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 11:45:06 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1a60 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12292 | 2017-01-12 11:45:07 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:09 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:13 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:45:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:29 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:45:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:45:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 11:45:43 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 11:45:43 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 11:45:43 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 11:45:44 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 11:45:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1678 Process Name: C:\Windows\explorer.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 11:46:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad63 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-12 11:46:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x120c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 11:46:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x120c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 11:46:09 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x80c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:46:09 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad63 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x80c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12290 | 2017-01-12 11:46:56 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-12 11:46:56 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-12 11:46:56 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2017-01-12 11:46:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:46:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 11:46:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:46:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 11:46:59 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 11:46:59 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 11:47:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 11:47:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:47:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 11:47:25 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 11:47:25 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12545 | 2017-01-12 11:47:28 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4ad9f This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-12 11:47:29 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:41:14 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ac New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:41:14 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x21c New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-12 15:41:14 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-12 15:41:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x288 New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:41:16 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x374 New Process Name: ??????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3b0 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3e8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x374 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: ????????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x374 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: ????????????????-??6??0?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b0 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b0 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-12 15:41:17 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xa20c
|
| | Security | Audit Success | 101 | 2017-01-12 15:41:19 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10dd5 Linked Logon ID: 0x10df2 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10df2 Linked Logon ID: 0x10dd5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10dd5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10df2 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x24df2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x62c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x62c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:41:20 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12292 | 2017-01-12 15:41:21 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x430e7 Linked Logon ID: 0x43173 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x43173 Linked Logon ID: 0x430e7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4396d Linked Logon ID: 0x439ba Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x439ba Linked Logon ID: 0x4396d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x439ba Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4396d Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x430e7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4396d Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x6d4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x6d4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-12 15:41:24 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x43173 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x43173 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x43173 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x830 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x43173 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x830 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x43173 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x830 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x43173 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:26 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x43173 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x830 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 15:41:28 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x15e4 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:41:28 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x15e4 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12292 | 2017-01-12 15:41:32 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-12 15:41:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x6d4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 15:41:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x6d4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 15:41:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:41:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 103 | 2017-01-12 15:41:47 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 12545 | 2017-01-12 15:41:47 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x43173 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:42:57 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:42:57 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-12 15:42:57 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-12 15:42:58 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x28c New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:42:59 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x378 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x394 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3ec New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: ????????????????-??6??4?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x394 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x394 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-12 15:43:00 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9f7c
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10b1d Linked Logon ID: 0x10b34 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10b34 Linked Logon ID: 0x10b1d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10b1d Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10b34 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x448 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x648 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x648 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:43:03 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x484 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x2753d Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:43:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:43:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 15:43:10 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 103 | 2017-01-12 15:43:17 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:44:21 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:44:21 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-12 15:44:21 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-12 15:44:22 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x288 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:44:23 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x374 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x390 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3e8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x374 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: ????????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x374 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: ????????????????-??6??0?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x390 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x390 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-12 15:44:24 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9f7b
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10b12 Linked Logon ID: 0x10b35 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10b35 Linked Logon ID: 0x10b12 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10b12 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10b35 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x440 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x648 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x648 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 15:44:27 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:28 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x275a4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 15:44:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 15:44:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 15:44:35 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 103 | 2017-01-12 15:44:36 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-12 19:12:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 19:12:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-12 19:12:32 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-12 19:12:33 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x28c New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 19:12:34 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x37c New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3b0 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x37c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: ????????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x37c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ????????????????-??6??0?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b0 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b0 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-12 19:12:35 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xa1d5
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10da7 Linked Logon ID: 0x10dc7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10dc7 Linked Logon ID: 0x10da7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10da7 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10dc7 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 19:12:38 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 19:12:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x440 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 19:12:38 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x644 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 19:12:38 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x644 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12292 | 2017-01-12 19:12:39 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x27e78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 19:12:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 19:12:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 19:12:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:12:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 19:12:46 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-12 19:12:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x10b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 19:12:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x10b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 19:13:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x10b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 19:13:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x10b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 19:13:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:13:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x81c30 Linked Logon ID: 0x81c5f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x81c5f Linked Logon ID: 0x81c30 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x81ed3 Linked Logon ID: 0x81f04 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x81f04 Linked Logon ID: 0x81ed3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x81f04 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x81ed3 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x81c30 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x81ed3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-12 19:14:16 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 19:14:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:14:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 19:14:22 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x45c Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 19:14:22 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x45c Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12290 | 2017-01-12 19:14:41 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-12 19:14:41 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-12 19:14:41 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2017-01-12 19:14:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:14:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 19:14:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 19:14:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 19:14:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 19:14:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x474 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12545 | 2017-01-12 19:15:32 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x81c5f This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-12 19:15:33 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-12 20:29:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 20:29:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-12 20:29:55 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-12 20:29:56 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x28c New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 20:29:57 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x378 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3b4 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3ec New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: ????????????????-??6??4?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-12 20:29:58 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xa004
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10ba8 Linked Logon ID: 0x10bc5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10bc5 Linked Logon ID: 0x10ba8 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10ba8 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10bc5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x65c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x65c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 20:30:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x27a98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-12 20:30:12 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-12 20:30:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xea4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 20:30:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xea4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5f2d4 Linked Logon ID: 0x5f302 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5f302 Linked Logon ID: 0x5f2d4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5f53f Linked Logon ID: 0x5f56d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5f56d Linked Logon ID: 0x5f53f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f56d Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f53f Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5f2d4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5f53f Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-12 20:30:20 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-12 20:30:21 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:25 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:25 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 20:30:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1934 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 20:30:26 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1934 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 20:30:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:30:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 20:30:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xea4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 20:30:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xea4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12290 | 2017-01-12 20:32:03 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-12 20:32:03 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-12 20:32:03 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2017-01-12 20:32:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:32:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:32:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:32:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-12 20:32:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-12 20:32:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 20:32:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:32:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 20:34:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x13e4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 20:34:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x13e4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 20:34:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:34:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 20:34:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x13e4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 20:34:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x13e4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 20:39:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:39:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 20:40:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x206c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 20:40:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x206c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 20:40:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x206c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 20:40:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x206c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 20:45:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2354 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-12 20:45:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2354 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 20:48:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:48:44 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-12 20:50:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-12 20:50:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 20:50:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-12 20:50:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-12 21:26:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x18bc Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 21:31:27 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-12 21:31:29 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-12 21:32:56 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 21:32:56 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 21:32:56 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 21:32:56 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-12 21:32:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1544 Process Name: C:\Windows\explorer.exe
|
| | Security | Audit Success | 12544 | 2017-01-12 21:33:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-12 21:33:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12545 | 2017-01-12 21:39:16 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5f302 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-12 21:39:25 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:34:30 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:34:30 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-13 04:34:30 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-13 04:34:31 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x288 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:34:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x378 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x38c New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3ec New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: ????????????????-??6??c?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x38c Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x38c Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-13 04:34:33 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9cc3
|
| | Security | Audit Success | 101 | 2017-01-13 04:34:35 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12292 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10488 Linked Logon ID: 0x104aa Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x104aa Linked Logon ID: 0x10488 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10488 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x104aa Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 04:34:36 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x640 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:34:36 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x640 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:34:36 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:34:36 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12292 | 2017-01-13 04:34:37 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x2451c Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 13824 | 2017-01-13 04:34:37 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x44c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 04:34:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1170 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:34:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1170 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:34:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1170 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:34:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1170 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4e844 Linked Logon ID: 0x4e872 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4e872 Linked Logon ID: 0x4e844 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4eac3 Linked Logon ID: 0x4eaf1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4eaf1 Linked Logon ID: 0x4eac3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e872 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e872 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e872 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x5d0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e872 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12545 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4eaf1 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4eac3 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4e844 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4eac3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-13 04:34:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:44 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e872 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x5d0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:44 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e872 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x5d0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:44 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e872 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x5d0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12292 | 2017-01-13 04:34:45 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:34:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:34:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 04:34:46 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1794 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:34:46 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1794 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:35:03 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:35:03 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e844 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e844 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x5d0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e844 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x5d0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e844 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x5d0 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12545 | 2017-01-13 04:35:13 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4e872 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-13 04:35:14 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:35:29 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:35:29 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-13 04:35:29 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-13 04:35:30 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x28c New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:35:31 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:35:31 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x378 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:35:31 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3a0 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:35:31 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3ec New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-13 04:35:32 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-13 04:35:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:35:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: ????????????????-??6??0?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3a0 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:35:32 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3a0 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-13 04:35:32 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xa001
|
| | Security | Audit Success | 12292 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10bc7 Linked Logon ID: 0x10be2 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10be2 Linked Logon ID: 0x10bc7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10bc7 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10be2 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x22b6b Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x444 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x668 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x668 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:35:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3bf5a Linked Logon ID: 0x3bfb9 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3bfb9 Linked Logon ID: 0x3bf5a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3c672 Linked Logon ID: 0x3c6a4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3c6a4 Linked Logon ID: 0x3c672 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3c6a4 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3c672 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3bf5a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x3c672 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-13 04:35:38 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 04:35:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:35:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 04:35:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x150c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:35:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x150c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:35:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1654 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:35:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1654 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:35:45 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x150c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:35:45 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x150c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12292 | 2017-01-13 04:35:46 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:36:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3bf5a Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:36:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3bf5a Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x83c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:36:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3bf5a Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x83c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13826 | 2017-01-13 04:36:16 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:36:16 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12545 | 2017-01-13 04:36:18 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x3bfb9 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-13 04:36:19 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:51:26 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:51:26 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-13 04:51:26 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-13 04:51:27 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x290 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:51:28 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x380 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3b4 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x380 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: ????????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x380 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: ????????????????-??6??4?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-13 04:51:29 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9fdc
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x214 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10bd8 Linked Logon ID: 0x10bfb Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x214 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10bfb Linked Logon ID: 0x10bd8 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x214 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10bd8 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10bfb Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x236d4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x444 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x6b0 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x6b0 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:51:32 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x48b16 Linked Logon ID: 0x48b44 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x48b44 Linked Logon ID: 0x48b16 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x48dc0 Linked Logon ID: 0x48dee Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x48dee Linked Logon ID: 0x48dc0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48dee Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48dc0 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x48b16 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x48dc0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-13 04:51:38 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12292 | 2017-01-13 04:51:40 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:51:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 04:51:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1730 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:51:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1730 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x470 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:51:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x548 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48b44 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:51:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48b44 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:52:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48b16 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:52:30 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48b16 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 04:52:30 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48b16 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x6d8 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-13 04:52:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48b44 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x778 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:53:32 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 04:53:32 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12290 | 2017-01-13 04:53:35 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-13 04:53:35 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-13 04:53:35 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2017-01-13 04:53:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:53:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 04:55:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 04:55:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 04:58:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x87c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:58:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x87c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:58:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x87c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:58:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x87c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 04:58:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x57c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 05:01:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1fa0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 05:01:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1fa0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 05:01:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1fa0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 05:01:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1fa0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 05:06:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48b44 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1f18 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 05:06:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48b44 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1f18 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x45d863 Linked Logon ID: 0x45d896 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x45d896 Linked Logon ID: 0x45d863 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x47c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x45e003 Linked Logon ID: 0x45e05b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x45e05b Linked Logon ID: 0x45e003 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d0 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x45e05b Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x45e003 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x45d896 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x45d863 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x45d863 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x45e003 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x19dc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 05:57:39 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x19dc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 05:57:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x19dc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 05:57:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x19dc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 06:17:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48b44 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12545 | 2017-01-13 06:38:41 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x48b44 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-13 06:38:42 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:07:45 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:07:45 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-13 07:07:45 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-13 07:07:46 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x28c New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:07:47 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x378 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3a4 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x28c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3ec New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: ????????????????-??6??4?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3a4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3a4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-13 07:07:48 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9fd9
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10bc1 Linked Logon ID: 0x10be1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10be1 Linked Logon ID: 0x10bc1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10bc1 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10be1 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-13 07:07:51 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-13 07:07:51 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 07:07:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:07:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x6ac Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:07:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x6ac Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x288b5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 13826 | 2017-01-13 07:07:52 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:07:52 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x47117 Linked Logon ID: 0x47149 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x47149 Linked Logon ID: 0x47117 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x473b5 Linked Logon ID: 0x473e3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x473e3 Linked Logon ID: 0x473b5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x473e3 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x473b5 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x47117 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x473b5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-13 07:07:56 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:08:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:08:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 07:08:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x189c Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:08:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x189c Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12292 | 2017-01-13 07:08:03 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-13 07:08:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x15bc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:08:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x15bc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:08:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x15bc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:08:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x15bc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:08:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x117c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:08:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x117c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:08:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x117c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:08:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x117c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:08:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47117 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:08:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47117 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x80c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:08:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47117 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x80c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:08:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47117 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x80c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13826 | 2017-01-13 07:08:54 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:08:54 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:09:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:09:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 07:09:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x4dc Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13312 | 2017-01-13 07:11:34 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:11:34 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-13 07:11:34 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-13 07:11:35 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x288 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x378 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x394 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x288 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3ec New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x378 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: ????????????????-??6??4?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x394 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x394 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-13 07:11:37 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9bd5
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1018d Linked Logon ID: 0x101ad Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x101ad Linked Logon ID: 0x1018d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x244 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1018d Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x101ad Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-13 07:11:40 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 07:11:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x440 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12292 | 2017-01-13 07:11:41 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x23378 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 07:11:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x640 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:11:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x640 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:11:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:11:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-13 07:11:48 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:48 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4f978 Linked Logon ID: 0x4f9bc Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4f9bc Linked Logon ID: 0x4f978 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4f978 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 07:11:48 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-13 07:11:48 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:49 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4fdea Linked Logon ID: 0x4fe2c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4fe2c Linked Logon ID: 0x4fdea Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-13 07:11:49 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4fe2c Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 07:11:49 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4fdea Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4fdea Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 07:11:49 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:11:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1774 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:11:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1774 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:11:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:11:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 07:11:55 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19f0 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:11:55 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19f0 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:11:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1774 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:11:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1774 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:12:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:12:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 07:12:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:12:05 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:12:14 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f978 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:12:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f978 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:12:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f978 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x740 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:12:43 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-13 07:13:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1cf4 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:13:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:13:44 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 07:13:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:13:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 07:18:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:18:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 07:18:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:18:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 07:18:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x20a4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:18:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x20a4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:18:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x20a4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:18:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x20a4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:18:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:18:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:18:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0x2424 Process Name: C:\Windows\System32\CompatTelRunner.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:20:09 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:20:09 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:20:14 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-13 07:21:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:21:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:21:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:21:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2620 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:26:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x26f0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:26:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x26f0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:29:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x27c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:29:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x27c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:29:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1f20 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:29:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x27c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:29:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x27c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:36:39 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:36:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x456177 Linked Logon ID: 0x4561aa Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:36:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x4561aa Linked Logon ID: 0x456177 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x464 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:36:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x456177 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 07:36:39 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x456900 Linked Logon ID: 0x456955 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x456955 Linked Logon ID: 0x456900 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x456955 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x456900 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4561aa Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x456177 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x456900 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x20b8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x20b8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x20b8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 07:36:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x20b8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 07:43:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:43:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 07:43:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:43:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x21f0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x21f0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x21f0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x21f0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x21f0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x21f0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x21f0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 07:43:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x21f0 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 12288 | 2017-01-13 07:43:52 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x580 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-13T00:43:48.324337700Z New Time: 2017-01-13T00:43:52.398044100Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-13 07:43:52 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x580 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-13T00:43:52.398602500Z New Time: 2017-01-13T00:43:52.398000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-13 07:43:52 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x580 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-13T00:43:52.398891000Z New Time: 2017-01-13T00:43:52.398000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:45:27 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:46:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 07:46:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 08:10:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 08:10:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 08:11:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 08:11:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 08:14:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 08:14:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 08:14:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 08:14:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 08:14:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 08:14:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 08:14:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 08:14:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 08:14:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 08:14:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 08:14:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 08:14:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2bc Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 08:31:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 08:31:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2017-01-13 08:31:49 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 8d3706cf-a4bf-25a3-466a-ba28678e314b Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-13 08:31:49 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 8d3706cf-a4bf-25a3-466a-ba28678e314b Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\23e8a7fb877a6c9eb54ca64f9502f8df_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2017-01-13 08:31:51 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 8d3706cf-a4bf-25a3-466a-ba28678e314b Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-13 08:31:51 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 8d3706cf-a4bf-25a3-466a-ba28678e314b Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\23e8a7fb877a6c9eb54ca64f9502f8df_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2017-01-13 08:31:53 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 8d3706cf-a4bf-25a3-466a-ba28678e314b Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-13 08:31:53 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 8d3706cf-a4bf-25a3-466a-ba28678e314b Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\23e8a7fb877a6c9eb54ca64f9502f8df_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2017-01-13 08:31:55 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 8d3706cf-a4bf-25a3-466a-ba28678e314b Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-13 08:31:55 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 8d3706cf-a4bf-25a3-466a-ba28678e314b Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\23e8a7fb877a6c9eb54ca64f9502f8df_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12545 | 2017-01-13 08:59:57 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x4f9bc This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 103 | 2017-01-13 08:59:58 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 12288 | 2017-01-13 13:08:04 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5c4 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-13T00:09:52.281370700Z New Time: 2017-01-13T06:08:04.231000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-13 14:09:52 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5c4 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-13T06:08:04.746790000Z New Time: 2017-01-13T07:09:52.721458900Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-13 14:09:52 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5c4 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-13T07:09:52.722016000Z New Time: 2017-01-13T07:09:52.721000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 13824 | 2017-01-13 14:09:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2788 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 14:09:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2788 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 14:09:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2658 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 14:09:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2658 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 14:09:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2658 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 14:09:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2658 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12290 | 2017-01-13 14:09:54 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-13 14:09:54 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-13 14:09:54 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2017-01-13 14:10:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 14:10:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 14:10:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 14:10:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 14:11:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 14:11:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 14:11:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 14:11:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 14:13:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 14:13:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 14:27:31 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 14:27:32 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 14:29:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 14:29:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 14:29:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 14:29:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-13 14:29:11 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-13 14:29:11 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-13 14:29:11 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-13 14:29:11 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-13 14:29:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1484 Process Name: C:\Windows\explorer.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 14:39:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 14:39:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 14:47:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 14:47:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 14:48:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 14:48:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 15:09:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 15:09:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 15:26:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2b8c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 15:26:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2b8c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 15:26:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x24f0 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 15:26:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2b8c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 15:26:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2b8c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8abc40 Linked Logon ID: 0x8abc73 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8abc73 Linked Logon ID: 0x8abc40 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8ac453 Linked Logon ID: 0x8ac4cc Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8ac4cc Linked Logon ID: 0x8ac453 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d8 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8ac4cc Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8ac453 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8abc73 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x8abc40 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8abc40 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x8ac453 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-13 15:57:37 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-13 15:57:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xcec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 15:57:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xcec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 15:58:19 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xcec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 15:58:19 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xcec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 16:51:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 16:51:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 16:53:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 16:53:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e0 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 16:53:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 16:53:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 103 | 2017-01-13 17:18:31 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 12288 | 2017-01-13 17:18:31 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5c4 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-13T10:18:31.932370800Z New Time: 2017-01-13T10:18:31.906000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 17:18:31 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x47149 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13312 | 2017-01-13 19:13:33 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 19:13:33 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-13 19:13:33 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-13 19:13:34 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x290 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 19:13:35 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x37c New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x39c New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f0 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x37c Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: ????????????????-??6??c?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x37c Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ????????????????-??6??c?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x39c Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x39c Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-13 19:13:36 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9d57
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10425 Linked Logon ID: 0x10441 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10441 Linked Logon ID: 0x10425 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10425 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10441 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x448 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x648 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x648 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 19:13:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x27809 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:13:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:13:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 19:13:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x11d4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:13:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x11d4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12292 | 2017-01-13 19:13:50 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:14:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:14:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x68336 Linked Logon ID: 0x68364 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:14:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x68364 Linked Logon ID: 0x68336 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:14:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x68336 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 19:14:03 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-13 19:14:04 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:14:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6859f Linked Logon ID: 0x685cd Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:14:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x685cd Linked Logon ID: 0x6859f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-13 19:14:04 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x685cd Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-13 19:14:04 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6859f Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:14:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6859f Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 19:14:04 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-13 19:14:04 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 19:14:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:14:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 19:14:10 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19dc Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 19:14:10 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19dc Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:14:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x11d4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:14:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x11d4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 19:15:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:15:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-13 19:15:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-13 19:15:43 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 19:15:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:15:44 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 19:16:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x68364 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1c8 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:16:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1298 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:16:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1298 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:17:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1298 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:17:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1298 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 19:17:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:17:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 19:22:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x68364 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-13 19:22:12 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x68364 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-13 19:23:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d74 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:23:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d74 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:24:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d74 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:24:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d74 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:29:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x68364 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x22a8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 19:29:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x68364 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x22a8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 19:44:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 19:44:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 20:14:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 20:14:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 20:46:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 20:46:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-13 20:47:10 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x68364 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-13 20:47:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x68364 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x9a8 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 20:54:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 20:54:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 20:59:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x68364 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1f0c Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-13 21:13:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-13 21:13:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-13 21:18:37 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d44 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 21:18:37 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d44 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 21:19:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d44 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-13 21:19:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d44 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 00:58:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 00:58:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-14 01:04:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-2 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x12a4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 01:04:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xc0dace Linked Logon ID: 0xc0db0c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x12a4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 01:04:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xc0db0c Linked Logon ID: 0xc0dace Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x12a4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 01:04:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xc0dace Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 01:04:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xc0db0c Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12544 | 2017-01-14 01:04:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-14 01:04:24 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x68364 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 12548 | 2017-01-14 01:04:24 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 07:17:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2278 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xc41710 Linked Logon ID: 0xc41742 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xc41742 Linked Logon ID: 0xc41710 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xc4199d Linked Logon ID: 0xc419e6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xc419e6 Linked Logon ID: 0xc4199d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc419e6 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc4199d Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xc41710 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0xc4199d Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-14 07:17:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 07:17:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x206c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 07:17:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x206c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:19 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:20 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:39 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41710 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-14 07:17:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x206c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 07:17:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x206c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41710 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41710 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:17:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41710 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:18:04 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-14 07:19:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d94 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x13b0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x13b0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0x1a64 Process Name: C:\Windows\System32\CompatTelRunner.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 07:20:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 07:20:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-14 07:20:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 07:20:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-14 07:20:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:30 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x13b0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 07:20:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x13b0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 07:25:55 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:25:55 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:26:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:26:06 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:26:07 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 07:26:07 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-14 07:32:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x10a0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 07:32:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x10a0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 08:00:47 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 08:00:47 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 08:00:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 08:05:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 08:05:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2638 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2638 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2638 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2638 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2638 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2638 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2638 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-14 08:05:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x2638 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 08:09:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x22b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 08:09:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x22b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 08:09:01 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1858 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 08:09:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x22b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 08:09:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x22b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 09:01:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2694 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 09:01:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2694 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 09:02:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2694 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 09:02:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2694 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 10:09:25 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:09:25 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x15e20ff Linked Logon ID: 0x15e2132 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:09:25 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x15e2132 Linked Logon ID: 0x15e20ff Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 10:09:25 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x15e20ff Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 10:09:25 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x15e27c6 Linked Logon ID: 0x15e2847 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x15e2847 Linked Logon ID: 0x15e27c6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x15e2847 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x15e27c6 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x15e2132 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x15e20ff Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x15e27c6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1bf8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 10:09:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1bf8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 10:09:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1bf8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 10:09:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1bf8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 10:10:06 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:10:06 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:22:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 10:22:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-14 10:27:33 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:27:33 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:27:35 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:30:52 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:30:52 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:30:52 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:30:52 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:32:18 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ie.ama@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:32:33 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ie.ama@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:32:58 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:32:58 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:33:27 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ie.ama@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:33:27 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ie.ama@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:33:29 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:39:13 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:39:27 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:48:14 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:49:28 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ie.ama@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:49:28 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ie.ama@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 10:49:31 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-14 11:06:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:06:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:06:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xf4c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:07:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:07:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa04 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:08:07 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xf4c Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x18868d4 Linked Logon ID: 0x1886907 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1886907 Linked Logon ID: 0x18868d4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1886f63 Linked Logon ID: 0x1886fdb Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1886fdb Linked Logon ID: 0x1886f63 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1886fdb Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1886f63 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1886907 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x18868d4 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x18868d4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1886f63 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:13:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 11:14:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ie.ama@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 11:14:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ie.ama@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-14 11:14:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:14:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 11:14:04 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 11:49:20 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-14 11:56:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:56:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:56:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x23d4 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:57:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 11:57:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1be201a Linked Logon ID: 0x1be204d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1be204d Linked Logon ID: 0x1be201a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1be2572 Linked Logon ID: 0x1be269d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1be269d Linked Logon ID: 0x1be2572 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1be269d Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1be2572 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1be204d Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1be201a Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1be201a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1be2572 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 12:57:31 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 12:57:32 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xfec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 12:57:32 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xfec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 12:58:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xfec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 12:58:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xfec Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 13:57:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x11b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 13:57:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x11b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 13:57:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2414 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 13:58:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x11b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 13:58:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x11b4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1f04d14 Linked Logon ID: 0x1f04d47 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1f04d47 Linked Logon ID: 0x1f04d14 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1f05349 Linked Logon ID: 0x1f053aa Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1f053aa Linked Logon ID: 0x1f05349 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1f053aa Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1f05349 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1f04d47 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x1f04d14 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1f04d14 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x1f05349 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x11d0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 14:32:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x11d0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 14:33:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x11d0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 14:33:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x11d0 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 14:45:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 14:45:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2017-01-14 14:45:50 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 8d3706cf-a4bf-25a3-466a-ba28678e314b Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-14 14:45:50 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 8d3706cf-a4bf-25a3-466a-ba28678e314b Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\23e8a7fb877a6c9eb54ca64f9502f8df_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12288 | 2017-01-14 14:46:01 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x560 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-14T07:46:01.224688600Z New Time: 2017-01-14T07:46:01.221000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 13824 | 2017-01-14 14:56:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1968 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 14:56:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1968 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 14:56:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1978 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 14:57:14 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1968 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 14:57:14 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1968 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2061c0d Linked Logon ID: 0x2061c40 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2061c40 Linked Logon ID: 0x2061c0d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x20622eb Linked Logon ID: 0x2062354 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2062354 Linked Logon ID: 0x20622eb Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2062354 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x20622eb Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2061c40 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2061c0d Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2061c0d Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x20622eb Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 14:59:54 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 14:59:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2334 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 14:59:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2334 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 15:00:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2334 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 15:00:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2334 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 15:11:39 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 15:11:39 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 15:28:58 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-14 15:58:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1498 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 15:58:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-14 15:59:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2160 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 15:59:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2160 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 15:59:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2754 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 16:00:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2160 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 16:00:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2160 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a5732 Linked Logon ID: 0x22a5765 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a5765 Linked Logon ID: 0x22a5732 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a5c91 Linked Logon ID: 0x22a5ce4 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a5ce4 Linked Logon ID: 0x22a5c91 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22a5ce4 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22a5c91 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22a5765 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x22a5732 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a5732 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x22a5c91 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1560 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 16:03:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1560 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 16:03:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1560 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 16:03:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1560 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 16:18:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 16:18:09 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 16:27:02 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-3 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1ff8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 16:27:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x23779c0 Linked Logon ID: 0x23779df Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ff8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 16:27:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x23779df Linked Logon ID: 0x23779c0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ff8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 16:27:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x23779c0 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 16:27:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-3 Account Name: DWM-3 Account Domain: Window Manager Logon ID: 0x23779df Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12545 | 2017-01-14 16:27:06 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0xc41742 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2017-01-14 19:27:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x598 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x6f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x6f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x23d6ef1 Linked Logon ID: 0x23d6f23 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x23d6f23 Linked Logon ID: 0x23d6ef1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x23d717d Linked Logon ID: 0x23d71c6 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x23d71c6 Linked Logon ID: 0x23d717d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x23d71c6 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x23d717d Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x23d6ef1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x23d717d Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-14 19:28:14 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:28:20 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-14 19:29:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x6f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:29:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x6f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:30:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1e4c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:30:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e4c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:31:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x23d6f23 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x728 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:31:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1e4c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:31:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1e4c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:43:14 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x23d6f23 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1154 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 19:43:14 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x23d6f23 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1154 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 20:09:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 20:09:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-14 20:27:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x23d6f23 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x27b4 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 21:17:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1318 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 21:17:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1318 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 21:17:39 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1318 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-14 21:17:39 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1318 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-14 21:37:36 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-14 21:37:36 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-14 21:37:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-4 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d58 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-14 21:37:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x28eb4d3 Linked Logon ID: 0x28eb4f2 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d58 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-14 21:37:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x28eb4f2 Linked Logon ID: 0x28eb4d3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d58 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 21:37:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x28eb4d3 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-14 21:37:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-4 Account Name: DWM-4 Account Domain: Window Manager Logon ID: 0x28eb4f2 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12544 | 2017-01-14 21:37:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-14 21:37:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12545 | 2017-01-14 21:37:42 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x23d6f23 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2017-01-15 10:49:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2528 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:49:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1dfc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:49:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1dfc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:49:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1dfc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:49:57 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1dfc Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d44 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d44 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2944b2b Linked Logon ID: 0x2944b5a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2944b5a Linked Logon ID: 0x2944b2b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2944dc5 Linked Logon ID: 0x2944df3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2944df3 Linked Logon ID: 0x2944dc5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2944df3 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2944dc5 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2944b2b Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x2944dc5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-15 10:50:47 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Administrator Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: DefaultAccount Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: defaultuser0 Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Guest Target Account Domain: RAZER
|
| | Security | Audit Success | 13824 | 2017-01-15 10:50:53 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Additional Information: Caller Workstation: RAZER Target Account Name: Deathadder™ Target Account Domain: RAZER
|
| | Security | Audit Success | 12544 | 2017-01-15 10:51:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 10:51:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-15 10:51:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1d44 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:51:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1d44 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:52:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2558 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:52:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2558 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 10:53:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 10:53:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-15 10:53:14 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0x1810 Process Name: C:\Windows\System32\CompatTelRunner.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:53:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2558 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 10:53:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2558 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 11:05:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2944b5a User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x8f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 11:05:48 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2944b5a User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x8f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 11:21:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 11:21:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-15 11:26:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 11:26:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-15 11:51:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 11:51:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19a8 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19a8 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19a8 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19a8 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19a8 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19a8 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19a8 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 12:19:11 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19a8 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 12:19:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 12:19:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-15 12:19:28 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 12:19:28 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-15 12:21:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 12:21:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-15 12:50:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 12:50:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-15 12:50:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x2944b5a User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xeb4 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 14:03:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 14:03:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12288 | 2017-01-15 14:04:06 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x560 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-15T07:04:04.338191200Z New Time: 2017-01-15T07:04:06.900651200Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-15 14:04:06 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x560 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-15T07:04:06.900838400Z New Time: 2017-01-15T07:04:06.900000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2017-01-15 14:04:06 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x560 Name: C:\Windows\System32\svchost.exe Previous Time: 2017-01-15T07:04:06.901139200Z New Time: 2017-01-15T07:04:06.899000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 13312 | 2017-01-15 19:08:24 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-15 19:08:24 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x220 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-15 19:08:24 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-15 19:08:26 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ac New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-15 19:08:27 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 13312 | 2017-01-15 19:08:27 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2ac Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-15 19:08:27 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x380 New Process Name: ??????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-15 19:08:27 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3a4 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2ac Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-15 19:08:27 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3f4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x380 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-15 19:08:27 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: ????????????????-??6??0?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x380 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-15 19:08:27 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: ????????????????-??6??4?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3a4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-15 19:08:27 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3a4 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-15 19:08:27 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9d8b
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:28 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:28 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:28 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:28 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10406 Linked Logon ID: 0x1042f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1042f Linked Logon ID: 0x10406 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x248 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10406 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1042f Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 101 | 2017-01-15 19:08:30 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12292 | 2017-01-15 19:08:30 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-15 19:08:31 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x2030d Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-15 19:08:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 19:08:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 19:08:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 19:08:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:08:32 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x434 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-15 19:08:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xc64 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:08:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xc64 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12292 | 2017-01-15 19:08:39 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-15 19:08:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xc64 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:08:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xc64 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:45 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6134a Linked Logon ID: 0x61378 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x61378 Linked Logon ID: 0x6134a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6134a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-15 19:08:45 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x615e7 Linked Logon ID: 0x61615 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x61615 Linked Logon ID: 0x615e7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1dc Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-15 19:08:46 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x61615 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-15 19:08:46 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x615e7 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x615e7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-15 19:08:46 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-15 19:08:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1684 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:08:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1684 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 19:08:46 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 19:08:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:08:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-15 19:08:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1a00 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 19:08:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x1a00 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:09:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1684 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:09:17 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1684 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 19:10:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:10:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-15 19:10:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 19:10:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 19:10:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:10:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-15 19:11:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:11:30 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:12:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xa54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:12:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xa54 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 19:12:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 19:12:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-15 19:14:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x61378 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1aa8 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 19:17:48 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-15 19:17:48 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x468 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:18:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:18:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:19:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:19:08 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2310 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:23:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x61378 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x2128 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-15 19:23:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x61378 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2128 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-15 20:06:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-15 20:06:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-16 07:29:10 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: ??????????????-??6?4?????? ? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????4 Process Command Line: ?????? ? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-16 07:29:10 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x224 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2017-01-16 07:29:10 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2017-01-16 07:29:11 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x290 New Process Name: ??????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-16 07:29:12 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x388 New Process Name: ??????????????-??6??4?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3b8 New Process Name: ???????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x290 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3fc New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x388 Creator Process Name: ????????????????????4? Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: ????????????????-??6??8?????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x388 Creator Process Name: ????????????????????4 Process Command Line: ?????? ???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e8 New Process Name: ????????????????-??6??8?????? ???????????????????????4 Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b8 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: ??????????????e??? ?? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x3b8 Creator Process Name: ???????????????e?????? Process Command Line: ?????? ???????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2017-01-16 07:29:13 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x9c43
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 101 | 2017-01-16 07:29:15 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10885 Linked Logon ID: 0x108a7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x108a7 Linked Logon ID: 0x10885 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x218 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10885 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x108a7 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1f7ea Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x644 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 07:29:16 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x644 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12292 | 2017-01-16 07:29:17 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 13826 | 2017-01-16 07:29:17 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 07:29:17 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:29:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x444 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-16 07:29:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x12c8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:29:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x12c8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12292 | 2017-01-16 07:29:27 | | Microsoft-Windows-Security-Auditing | 6406: Kaspersky Endpoint Security 10 for Windows registered to Windows Firewall to control filtering for the following: BootTimeRuleCategory, StealthRuleCategory, FirewallRuleCategory.
|
| | Security | Audit Success | 13824 | 2017-01-16 07:29:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x12c8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:29:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x12c8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6601e Linked Logon ID: 0x6604c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6604c Linked Logon ID: 0x6601e Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x66297 Linked Logon ID: 0x662c5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x662c5 Linked Logon ID: 0x66297 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12545 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x662c5 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x66297 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x6601e Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x66297 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2017-01-16 07:29:37 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:29:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:29:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-16 07:29:42 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19b4 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 07:29:42 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x19b4 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 07:30:07 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:30:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:30:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-16 07:30:25 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1588 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12290 | 2017-01-16 07:31:19 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-16 07:31:19 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_515b10cc-5648-4ef1-85cd-ec69792150a2 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2017-01-16 07:31:19 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2017-01-16 07:31:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:31:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:31:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-16 07:31:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2017-01-16 07:31:21 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 07:31:21 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 07:31:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:31:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: RAZER Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-TS-ML-0-15.hff-group.com Additional Information: AMA-TS-ML-0-15.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:32:01 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:32:01 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:32:01 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:33:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:33:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-16 07:34:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:34:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-16 07:34:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:34:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-16 07:35:17 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:35:17 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:35:27 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:35:27 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:35:27 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-16 07:36:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:36:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:36:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:36:16 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x5c4 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:36:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0x1390 Process Name: C:\Windows\System32\CompatTelRunner.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 07:36:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 07:36:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:39:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1f10 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:39:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1f10 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:39:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1f10 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:39:24 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1f10 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:44:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x205c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 07:44:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x205c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 07:48:08 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 07:48:08 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 07:56:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:56:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12548 | 2017-01-16 07:56:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-16 07:56:23 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:56:39 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 07:56:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-16 08:13:32 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:13:32 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:13:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:13:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:25:37 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1a08 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:25:37 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1a08 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:25:37 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x1a08 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:25:37 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x1a08 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:25:37 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x2054 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5ed132 Linked Logon ID: 0x5ed165 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 11 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5ed165 Linked Logon ID: 0x5ed132 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x478 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: RAZER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5ed653 Linked Logon ID: 0x5ed7b1 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5ed7b1 Linked Logon ID: 0x5ed653 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e4 Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: RAZER Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Negotiat Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5ed7b1 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5ed653 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5ed165 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x5ed132 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5ed132 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: thangduong.dev@gmail.com Account Domain: MicrosoftAccount Logon ID: 0x5ed653 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Changed Attributes: SAM Account Name: - Display Name: Th?ng Duong User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x774 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:47:40 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x774 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:47:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x774 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:47:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x774 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 08:52:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 08:52:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-16 08:56:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x14f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:56:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x14f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:56:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x14f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 08:56:03 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x14f8 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 08:57:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 08:57:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-16 09:02:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xc84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:02:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xc84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:02:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xc84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:02:53 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xc84 Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:03:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x27c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:03:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x27c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:03:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0x27c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:03:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0x27c Process Name: C:\Windows\System32\taskhostw.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 09:04:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: wdmycloud Additional Information: wdmycloud Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.23 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 09:04:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6604c Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-FS-0-5.hff-group.com Additional Information: AMA-FS-0-5.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.5 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 09:06:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: RAZER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1e8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2017-01-16 09:06:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2017-01-16 09:06:02 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 09:06:02 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 09:06:02 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-503 Account Name: DefaultAccount Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1000 Account Name: defaultuser0 Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-503 Account Name: DefaultAccount Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1000 Account Name: defaultuser0 Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-503 Account Name: DefaultAccount Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-503 Account Name: DefaultAccount Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1000 Account Name: defaultuser0 Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1000 Account Name: defaultuser0 Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-503 Account Name: DefaultAccount Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-503 Account Name: DefaultAccount Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-500 Account Name: Administrator Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-501 Account Name: Guest Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-503 Account Name: DefaultAccount Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-503 Account Name: DefaultAccount Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1000 Account Name: defaultuser0 Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1000 Account Name: defaultuser0 Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e User: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1002 Group Name: __vmware__ Group Domain: RAZER Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2017-01-16 09:06:41 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0xd4 Process Name: C:\Program Files (x86)\FinalWire\AIDA64 Extreme\aida64.exe
|
| | Security | Audit Success | 12544 | 2017-01-16 09:06:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.26.0.7 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2017-01-16 09:06:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2377419948-2109103339-2207952465-1001 Account Name: Deathadder™ Account Domain: RAZER Logon ID: 0x6601e Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: thangduong.dev@hff-group.com Account Domain: Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: AMA-DHCPRN-0-7.hff-group.com Additional Information: AMA-DHCPRN-0-7.hff-group.com Process Information: Process ID: 0x77c Process Name: C:\Windows\System32\spoolsv.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | System | Warning | 1014 | 2017-01-09 09:11:23 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name pqbhvyzl timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-09 09:12:59 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name eschqfon timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-09 09:15:53 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name pnpoqllth timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-09 09:17:03 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name caskvlqsdxzu timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-09 09:18:41 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name lqmnqyfalp timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-09 09:19:28 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name ggytpkzxy timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-09 09:31:41 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 1014 | 2017-01-09 09:38:39 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name rcwaouehyikcdx timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-09 09:47:46 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name qvpbfzuo timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-09 10:14:57 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name lauhdweuzehr timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-09 10:16:20 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name ccyogcprhnggkh timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-09 11:36:06 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-09 11:59:09 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-09 13:21:35 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-09 14:44:47 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 1014 | 2017-01-09 15:23:58 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name ywkasqmzmakiguf timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-09 15:28:43 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name ygmhpqsfisn timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-09 16:56:53 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name trqwcqwl timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-09 17:00:23 | Deathadder™ | DCOM | 10010: The server {0002DF02-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.
|
| | System | Error | 2 | 2017-01-09 17:00:34 | | Microsoft-Windows-NDIS | 10317: Miniport Qualcomm Atheros AR9485 802.11b|g|n WiFi Adapter, {31436C31-1332-44CA-B5AA-792AF0C03CE3}, had event 74
|
| | System | Error | None | 2017-01-09 17:00:45 | | Service Control Manager | 7023: The CDPUserSvc_2332d814 service terminated with the following error: %%2147500037
|
| | System | Warning | 7 | 2017-01-09 17:01:05 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 3 is being limited by system firmware. The processor has been in this reduced performance state for 156124 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-09 17:01:05 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 2 is being limited by system firmware. The processor has been in this reduced performance state for 156124 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-09 17:01:05 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 0 is being limited by system firmware. The processor has been in this reduced performance state for 156124 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-09 17:01:05 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 1 is being limited by system firmware. The processor has been in this reduced performance state for 156124 seconds since the last report.
|
| | System | Error | None | 2017-01-09 19:35:05 | Deathadder™ | DCOM | 10010: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-09 19:39:10 | | iaStorA | 4102: Error log: Smart event occured on disk :S2UQJ9KCB01231
|
| | System | Error | None | 2017-01-09 19:39:16 | | Service Control Manager | 7023: The CDPUserSvc_23522d14 service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | | disk | 51: An error was detected on device \Device\Harddisk2\DR2 during a paging operation.
|
| | System | Warning | None | 2017-01-09 19:40:06 | SYSTEM | Microsoft-Windows-Ntfs | 140: The system tried to join a drive to a directory on a substituted drive.
|
| | System | Warning | None | 2017-01-09 19:40:06 | SYSTEM | Microsoft-Windows-Ntfs | 140: The system tried to join a drive to a directory on a substituted drive.
|
| | System | Warning | None | 2017-01-09 19:40:07 | | disk | 157: Disk 1 has been surprise removed.
|
| | System | Warning | None | 2017-01-09 19:40:07 | | disk | 157: Disk 2 has been surprise removed.
|
| | System | Warning | None | 2017-01-09 19:40:07 | SYSTEM | Microsoft-Windows-Ntfs | 140: The system tried to join a drive to a directory on a substituted drive.
|
| | System | Warning | None | 2017-01-09 19:40:07 | SYSTEM | Microsoft-Windows-Ntfs | 140: The system tried to join a drive to a directory on a substituted drive.
|
| | System | Warning | None | 2017-01-09 19:40:07 | SYSTEM | Microsoft-Windows-Ntfs | 140: The system tried to join a drive to a directory on a substituted drive.
|
| | System | Error | None | 2017-01-09 19:40:18 | | Service Control Manager | 7023: The CDPUserSvc_2361db10 service terminated with the following error: %%2147500037
|
| | System | Error | None | 2017-01-09 19:53:10 | | EventLog | 6008: The previous system shutdown at 4:46:23 PM on ?1/?9/?2017 was unexpected.
|
| | System | Warning | None | 2017-01-09 19:53:18 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-09 19:53:24 | | Service Control Manager | 7023: The CDPUserSvc_59339 service terminated with the following error: %%2147500037
|
| | System | Error | None | 2017-01-09 19:57:57 | | EventLog | 6008: The previous system shutdown at 7:57:54 PM on ?1/?9/?2017 was unexpected.
|
| | System | Error | None | 2017-01-09 19:58:05 | | Service Control Manager | 7023: The CDPUserSvc_524d7 service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-09 19:58:05 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Warning | 7 | 2017-01-09 21:37:19 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 0 is being limited by system firmware. The processor has been in this reduced performance state for 1 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-09 21:37:19 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 2 is being limited by system firmware. The processor has been in this reduced performance state for 1 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-09 21:37:19 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 1 is being limited by system firmware. The processor has been in this reduced performance state for 1 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-09 21:37:19 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 3 is being limited by system firmware. The processor has been in this reduced performance state for 1 seconds since the last report.
|
| | System | Error | None | 2017-01-10 07:11:50 | | Service Control Manager | 7023: The CDPUserSvc_8ea2c3 service terminated with the following error: %%2147500037
|
| | System | Warning | 1014 | 2017-01-10 07:11:51 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name inference.location.live.net timed out after none of the configured DNS servers responded.
|
| | System | Warning | 212 | 2017-01-10 09:00:34 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Warning | None | 2017-01-10 09:00:42 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-10 09:00:50 | | Service Control Manager | 7023: The CDPUserSvc_4ba97 service terminated with the following error: %%2147500037
|
| | System | Warning | 212 | 2017-01-10 09:29:06 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Error | None | 2017-01-10 09:29:13 | | Service Control Manager | 7023: The CDPUserSvc_40722 service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-10 09:29:14 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-10 09:36:53 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-10 09:51:05 | | volmgr | 46: Crash dump initialization failed!
|
| | System | Error | None | 2017-01-10 09:51:10 | | EventLog | 6008: The previous system shutdown at 9:29:06 AM on ?1/?10/?2017 was unexpected.
|
| | System | Error | None | 2017-01-10 09:51:17 | | Service Control Manager | 7023: The CDPUserSvc_403ce service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-10 09:51:18 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Warning | 212 | 2017-01-10 09:52:42 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP#60A44C3FB294B05099680068&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Error | None | 2017-01-10 09:52:47 | | Service Control Manager | 7023: The CDPUserSvc_38e61 service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-10 09:52:50 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-10 10:17:46 | | EventLog | 6008: The previous system shutdown at 9:52:42 AM on ?1/?10/?2017 was unexpected.
|
| | System | Warning | 212 | 2017-01-10 10:17:46 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP#60A44C3FB294B05099680068&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Warning | None | 2017-01-10 10:17:54 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Warning | 212 | 2017-01-10 10:21:01 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP#60A44C3FB294B05099680068&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Warning | None | 2017-01-10 10:21:09 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-10 10:21:53 | | Service Control Manager | 7023: The CDPUserSvc_49958 service terminated with the following error: %%2147500037
|
| | System | Error | None | 2017-01-10 11:48:45 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-10 11:57:42 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-10 14:31:58 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-10 14:58:58 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-10 15:45:00 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-10 15:52:29 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-10 19:32:27 | | Service Control Manager | 7023: The CDPUserSvc_10a7c49 service terminated with the following error: %%2147500037
|
| | System | Warning | 7 | 2017-01-10 19:33:32 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-10 19:33:32 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 1 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-10 19:33:32 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 2 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-10 19:33:32 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 3 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | None | 2017-01-11 07:16:50 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2017-01-11 07:16:50 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Error | None | 2017-01-11 07:21:10 | | Service Control Manager | 7023: The CDPUserSvc_1ba579a service terminated with the following error: %%2147500037
|
| | System | Error | None | 2017-01-11 07:21:19 | Deathadder™ | DCOM | 10010: The server {4AA0A5C4-1B9B-4F2E-99D7-99C6AEC83474} did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-11 07:21:19 | Deathadder™ | DCOM | 10010: The server {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-11 07:21:19 | Deathadder™ | DCOM | 10010: The server {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-11 07:21:19 | Deathadder™ | DCOM | 10010: The server {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-11 07:21:19 | Deathadder™ | DCOM | 10010: The server {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-11 07:21:20 | | Service Control Manager | 7009: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_1ba579a service to connect.
|
| | System | Error | None | 2017-01-11 07:21:20 | Deathadder™ | DCOM | 10010: The server {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-11 07:21:20 | Deathadder™ | DCOM | 10010: The server {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-11 07:21:20 | Deathadder™ | DCOM | 10010: The server {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-11 07:26:48 | | Service Control Manager | 7023: The CDPUserSvc_1c0b55b service terminated with the following error: %%2147500037
|
| | System | Error | None | 2017-01-11 07:31:14 | SYSTEM | Ntfs | 55: A corruption was discovered in the file system structure on volume D:. The exact nature of the corruption is unknown. The file system structures need to be scanned online.
|
| | System | Warning | None | 2017-01-11 07:31:14 | SYSTEM | Microsoft-Windows-Ntfs | 98:
|
| | System | Warning | 1014 | 2017-01-11 07:37:39 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name ocos-office365-s2s.msedge.net timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 08:11:55 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name tinhte.vn timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-11 09:33:31 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2017-01-11 09:33:45 | | VMnetDHCP | 1: dispatch: Timeout waiting for input data
|
| | System | Warning | None | 2017-01-11 10:07:24 | Deathadder™ | User32 | 1073: The attempt by user RAZER\Deathadder™ to restart/shutdown computer RAZER failed
|
| | System | Warning | None | 2017-01-11 10:21:12 | SYSTEM | Microsoft-Windows-Ntfs | 98:
|
| | System | Warning | None | 2017-01-11 10:21:25 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-11 10:23:22 | | Service Control Manager | 7023: The CDPUserSvc_6db4c service terminated with the following error: %%2147500037
|
| | System | Error | None | 2017-01-11 10:36:12 | SYSTEM | Ntfs | 55: A corruption was discovered in the file system structure on volume D:. The exact nature of the corruption is unknown. The file system structures need to be scanned online.
|
| | System | Warning | 1014 | 2017-01-11 11:49:29 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name wpad timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-11 11:57:53 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 1014 | 2017-01-11 12:46:31 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name isatap.hff-group.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 12:47:19 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name _ldap._tcp.dc._msdcs.WORKGROUP timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 12:47:24 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name isatap.hff-group.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 13:37:20 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name www.tiwtter.com timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-11 15:05:53 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-11 15:41:42 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 1014 | 2017-01-11 16:28:49 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name https timed out after none of the configured DNS servers responded.
|
| | System | Warning | 7 | 2017-01-11 19:17:42 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-11 19:17:42 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 1 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-11 19:17:42 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 2 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-11 19:17:42 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 3 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Error | None | 2017-01-11 19:19:07 | | Service Control Manager | 7023: The CDPUserSvc_14cc0ff service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-11 19:19:43 | | VMnetDHCP | 1: dispatch: Timeout waiting for input data
|
| | System | Warning | 1014 | 2017-01-11 19:21:20 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name settings-ssl.xboxlive.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 19:26:59 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name connect.linksys.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 19:27:15 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name accounts.google.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 19:33:06 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name www.google.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 19:34:02 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name kv301-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 19:35:45 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name v10.vortex-win.data.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 19:35:46 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name client.wns.windows.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 19:37:54 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name ajax.googleapis.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 19:40:35 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name disc301-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 19:46:33 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name disc301-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | None | 2017-01-11 19:52:35 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2017-01-11 19:52:36 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | 1014 | 2017-01-11 19:52:36 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name skyapi.live.net timed out after none of the configured DNS servers responded.
|
| | System | Warning | None | 2017-01-11 20:12:58 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2017-01-11 20:13:12 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | 1014 | 2017-01-11 20:13:12 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name time.windows.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:13:27 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name www.google.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:16:44 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name dnl-01.geo.kaspersky.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:17:05 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name settings-win.data.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | None | 2017-01-11 20:17:10 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | 1014 | 2017-01-11 20:17:19 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name beacons4.gvt2.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | None | 2017-01-11 20:17:22 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2017-01-11 20:17:22 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2017-01-11 20:17:24 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2017-01-11 20:17:52 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2017-01-11 20:17:53 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | 1014 | 2017-01-11 20:18:08 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name v10.vortex-win.data.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | None | 2017-01-11 20:18:10 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2017-01-11 20:18:22 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | 1014 | 2017-01-11 20:20:36 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name www.linksys.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | None | 2017-01-11 20:21:13 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2017-01-11 20:21:14 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | 1014 | 2017-01-11 20:21:19 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name dnl-09.geo.kaspersky.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | None | 2017-01-11 20:21:31 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | 1014 | 2017-01-11 20:21:31 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name time.windows.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:23:01 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name clients2.google.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:27:04 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name connect.linksys.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:31:15 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name accounts.google.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:34:49 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name livetileedge.dsx.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:38:17 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name disc301-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:39:33 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name disc301-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:40:03 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name dnl-06.geo.kaspersky.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:44:47 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name docs.live.net timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:48:37 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name connect.facebook.net timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:56:16 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name v10.vortex-win.data.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 20:57:51 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name downloads6.kaspersky-labs.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:00:17 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name connect.linksys.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:02:34 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name dnl-03.geo.kaspersky.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:04:59 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name officecdn.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:10:38 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name client.wns.windows.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:23:11 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name officecdn.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:30:21 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name array303-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:42:09 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name client.wns.windows.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:42:23 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name client.wns.windows.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:53:35 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name kv301-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:54:31 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name vozforums.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:55:02 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name disc301-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 21:58:12 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name disc301-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 22:06:42 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name dnl-02.geo.kaspersky.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 22:09:33 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name ntk.me timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 22:14:26 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name disc301-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-11 22:15:05 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name dnl-19.geo.kaspersky.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | None | 2017-01-12 07:19:03 | SYSTEM | Microsoft-Windows-Ntfs | 98:
|
| | System | Warning | None | 2017-01-12 07:19:19 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-12 07:20:24 | | Service Control Manager | 7023: The CDPUserSvc_f9d11 service terminated with the following error: %%2147500037
|
| | System | Warning | 1014 | 2017-01-12 07:26:58 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name www.google.com timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-12 07:34:03 | SYSTEM | Ntfs | 55: A corruption was discovered in the file system structure on volume D:. The exact nature of the corruption is unknown. The file system structures need to be scanned online.
|
| | System | Warning | 1014 | 2017-01-12 07:34:57 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name store-images.s-microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-12 08:20:09 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2017-01-12 08:29:11 | SYSTEM | Ntfs | 130: The file system structure on volume D: has now been repaired.
|
| | System | Warning | None | 2017-01-12 09:15:13 | | disk | 51: An error was detected on device \Device\Harddisk3\DR5 during a paging operation.
|
| | System | Error | None | 2017-01-12 09:20:03 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-12 09:27:08 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-12 10:21:06 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-12 10:21:09 | Deathadder™ | DCOM | 10010: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
|
| | System | Warning | 212 | 2017-01-12 11:44:53 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Error | None | 2017-01-12 11:45:00 | | Service Control Manager | 7023: The CDPUserSvc_4d41c service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-12 11:45:01 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Warning | 1014 | 2017-01-12 11:45:04 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name _ldap._tcp.dc._msdcs.WORKGROUP timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-12 11:45:27 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name _ldap._tcp.dc._msdcs.WORKGROUP timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-12 11:47:21 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 212 | 2017-01-12 15:41:19 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Error | None | 2017-01-12 15:41:25 | | Service Control Manager | 7023: The CDPUserSvc_47590 service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-12 15:41:27 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Warning | 1014 | 2017-01-12 15:41:28 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name wpad timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-12 15:41:33 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name _ldap._tcp.dc._msdcs.WORKGROUP timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-12 15:41:44 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-12 15:41:45 | Deathadder™ | DCOM | 10010: The server App.AppXx4zfy1ffv3wctgdz2vypnybzjkh27jhw.mca did not register with DCOM within the required timeout.
|
| | System | Warning | 212 | 2017-01-12 15:43:02 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Warning | None | 2017-01-12 15:43:10 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Warning | 212 | 2017-01-12 15:44:26 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Warning | None | 2017-01-12 15:44:34 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Warning | 212 | 2017-01-12 19:12:37 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Warning | None | 2017-01-12 19:12:45 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-12 19:14:16 | | Service Control Manager | 7023: The CDPUserSvc_831fa service terminated with the following error: %%2147500037
|
| | System | Warning | 1014 | 2017-01-12 19:14:45 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name login.live.com timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-12 19:15:25 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-12 19:15:29 | Deathadder™ | DCOM | 10010: The server {DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} did not register with DCOM within the required timeout.
|
| | System | Warning | 212 | 2017-01-12 20:30:00 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Warning | None | 2017-01-12 20:30:08 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-12 20:30:21 | | Service Control Manager | 7023: The CDPUserSvc_60a1a service terminated with the following error: %%2147500037
|
| | System | Warning | 1014 | 2017-01-12 20:33:04 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name geover-prod.do.dsp.mp.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-12 20:44:54 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name dnl-00.geo.kaspersky.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-12 20:45:12 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name service.weather.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-12 21:00:27 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name nexus.officeapps.live.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-12 21:17:16 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name client.wns.windows.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-12 21:33:45 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name vozforums.com timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-12 21:39:05 | Deathadder™ | DCOM | 10010: The server App.AppXx4zfy1ffv3wctgdz2vypnybzjkh27jhw.mca did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-12 21:39:05 | Deathadder™ | DCOM | 10010: The server App.AppXx4zfy1ffv3wctgdz2vypnybzjkh27jhw.mca did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-12 21:39:05 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 212 | 2017-01-13 04:34:35 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Error | None | 2017-01-13 04:34:43 | | Service Control Manager | 7023: The CDPUserSvc_4fe46 service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-13 04:34:43 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Warning | 1014 | 2017-01-13 04:34:46 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name _ldap._tcp.dc._msdcs.WORKGROUP timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-13 04:35:10 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 212 | 2017-01-13 04:35:34 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Error | None | 2017-01-13 04:35:38 | | Service Control Manager | 7023: The CDPUserSvc_3f283 service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-13 04:35:42 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Warning | 1014 | 2017-01-13 04:35:49 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name wpad timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-13 04:36:17 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 212 | 2017-01-13 04:51:31 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Error | None | 2017-01-13 04:51:38 | | Service Control Manager | 7023: The CDPUserSvc_4a1a7 service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-13 04:51:39 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-13 04:58:05 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 1014 | 2017-01-13 04:59:04 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name mqddtxyf timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-13 06:19:35 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name akgouxtcibkg timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-13 06:38:39 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-13 06:38:41 | Deathadder™ | DCOM | 10010: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
|
| | System | Warning | 212 | 2017-01-13 07:07:50 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_8.07#SLMJ1M50&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Error | None | 2017-01-13 07:07:56 | | Service Control Manager | 7023: The CDPUserSvc_489df service terminated with the following error: %%2147500037
|
| | System | Warning | None | 2017-01-13 07:07:58 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Warning | None | 2017-01-13 07:11:47 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-13 07:11:49 | | Service Control Manager | 7023: The CDPUserSvc_51579 service terminated with the following error: %%2147500037
|
| | System | Warning | 1014 | 2017-01-13 07:18:49 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name ecn.dev.virtualearth.net timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-13 07:29:46 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-13 08:59:52 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-13 08:59:57 | Deathadder™ | DCOM | 10010: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
|
| | System | Warning | 1014 | 2017-01-13 14:12:51 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name kdtour15.com timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-13 15:26:16 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 1014 | 2017-01-13 16:08:08 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name kdtour15.com timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-13 17:18:28 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2017-01-13 19:13:46 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-13 19:14:04 | | Service Control Manager | 7023: The CDPUserSvc_69cc0 service terminated with the following error: %%2147500037
|
| | System | Error | None | 2017-01-14 01:04:22 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-14 07:17:12 | | Service Control Manager | 7023: The CDPUserSvc_c42b59 service terminated with the following error: %%2147500037
|
| | System | Warning | 7 | 2017-01-14 07:18:14 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 3 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-14 07:18:14 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-14 07:18:14 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 1 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | 7 | 2017-01-14 07:18:14 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 2 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | 1014 | 2017-01-14 07:20:27 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name tqrsqtzuozloe timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-14 08:09:00 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 1014 | 2017-01-14 09:45:08 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name beacons.gvt2.com timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-14 11:06:26 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-14 11:56:30 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-14 13:57:55 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-14 14:56:41 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-14 15:59:56 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-14 16:27:01 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-14 16:27:05 | Deathadder™ | DCOM | 10010: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-14 19:28:14 | | Service Control Manager | 7023: The CDPUserSvc_23d854e service terminated with the following error: %%2147500037
|
| | System | Error | None | 2017-01-14 21:37:36 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2017-01-15 10:50:47 | | Service Control Manager | 7023: The CDPUserSvc_29464f6 service terminated with the following error: %%2147500037
|
| | System | Error | None | 2017-01-15 11:26:06 | Deathadder™ | DCOM | 10010: The server App.AppXy9rh3t8m2jfpvhhxp6y2ksgeq77vymbq.mca did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-15 19:08:29 | | EventLog | 6008: The previous system shutdown at 2:19:03 PM on ?1/?15/?2017 was unexpected.
|
| | System | Warning | None | 2017-01-15 19:08:37 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-15 19:08:41 | | Server | 2505: The server could not bind to the transport \Device\NetBT_Tcpip_{74367705-1080-4F05-9786-7F596D436A07} because another computer on the network has the same name. The server could not start.
|
| | System | Error | None | 2017-01-15 19:08:41 | | Server | 2505: The server could not bind to the transport \Device\NetBT_Tcpip_{F9D5FEA5-DC0A-47C4-A571-4FF2A198094A} because another computer on the network has the same name. The server could not start.
|
| | System | Error | None | 2017-01-15 19:08:41 | | NetBT | 4321: The name "RAZER :0" could not be registered on the interface with IP address 192.168.0.106. The computer with the IP address 192.168.0.1 did not allow the name to be claimed by this computer.
|
| | System | Error | None | 2017-01-15 19:08:41 | | NetBT | 4321: The name "RAZER :20" could not be registered on the interface with IP address 192.168.0.106. The computer with the IP address 192.168.0.1 did not allow the name to be claimed by this computer.
|
| | System | Error | None | 2017-01-15 19:08:46 | | Service Control Manager | 7023: The CDPUserSvc_62d74 service terminated with the following error: %%2147500037
|
| | System | Error | None | 2017-01-15 20:06:35 | Deathadder™ | DCOM | 10010: The server App.AppXy9rh3t8m2jfpvhhxp6y2ksgeq77vymbq.mca did not register with DCOM within the required timeout.
|
| | System | Error | None | 2017-01-16 07:29:15 | | EventLog | 6008: The previous system shutdown at 10:28:29 PM on ?1/?15/?2017 was unexpected.
|
| | System | Warning | 212 | 2017-01-16 07:29:15 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP#60A44C3FB294B05099680068&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
|
| | System | Warning | None | 2017-01-16 07:29:23 | SYSTEM | Microsoft-Windows-Wininit | 11: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
|
| | System | Error | None | 2017-01-16 07:29:37 | | Service Control Manager | 7023: The CDPUserSvc_6775c service terminated with the following error: %%2147500037
|
| | System | Warning | 1014 | 2017-01-16 08:00:55 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name gehcvwznrsj timed out after none of the configured DNS servers responded.
|
| | System | Error | None | 2017-01-16 08:25:36 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 1014 | 2017-01-16 08:53:54 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name vozforums.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-16 08:59:02 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name go.trouter.io timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-16 09:00:45 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name s.gateway.messenger.live.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 1014 | 2017-01-16 09:00:55 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name _ldap._tcp.dc._msdcs.WORKGROUP timed out after none of the configured DNS servers responded.
|